Numerous Visible Wireless subscribers are reporting that their accounts were hacked this week. Visible runs on Verizon’s 5G and 4G LTE networks and is owned by Verizon.
Suspicions of a data breach at Visible started Monday when some customers saw unauthorized purchases on their accounts:
— Kelley (@ksmrz77) October 12, 2021
On the Visible subreddit, users reported seeing unauthorized orders placed from their accounts:
Great, someone hacked my @visible account, purchased iPhone using my PayPal, and changed the password. @visiblecare is not responding. Scammer also tricked me with email spams in an effort to make me miss any email notifications from Visible.
— Kristian Kim (@kristiankim) October 13, 2021
Credential stuffing likely, company says
In an email sent to customers and posted publicly yesterday, Visible shared what it believes caused the hacks.
“We have learned of an incident wherein information on some member accounts was changed without their authorization. We are taking protective steps to secure all impacted accounts and prevent any further unauthorized access,” said Visible in the announcement. “Our investigation indicates that threat actors were able to access username/passwords from outside sources and exploit that information to log in to Visible accounts. If you use your Visible username and password across multiple accounts, including your bank or other financial accounts, we recommend updating your username/password with those services.”
The company’s wording suggests that customer credentials were obtained from a third-party leak or breached database and then used to access customer accounts, a practice known as credential stuffing. The company advises customers to reset passwords and security information and will prompt users to re-validate payment information before further purchases can be made.
But an expert has cast doubts on the credential-stuffing theory, noting that Visible admitted in a tweet to “technical issues” with its chat platform this week, with the company briefly unable to make any changes to customer accounts. Visible has since deleted its tweet.
Did Visible know since last week?
Although Visible made a public statement yesterday, the company first acknowledged the issue on Twitter on October 8. At the time, Visible provided a vague reason: order confirmation emails erroneously sent out by the company.
“We’re sorry for any confusion this may have caused! There was an error where this email was sent to members, please disregard it,” the company told a customer.
One Visible customer reacted angrily to the delay, saying, “This response is completely irresponsible, given the fact that you are currently under attack and are aware of MANY users that have had their accounts compromised.”
Visible says customers won’t be held liable for any unauthorized charges. “If there is a mistaken charge on your account, you will not be held accountable, and the charges will be reversed,” the company said.
Visible customers impacted by the incident should monitor for suspicious transactions and change their passwords, both on their Visible account and any other websites where they have used the same credentials.