Numerous Visible Wireless subscribers are reporting their accounts have been “hacked” this week. Visible runs on Verizon’s 5G and 4G LTE networks. Rather than being a Mobile Virtual Network Operator (MVNO), Visible is actually owned by Verizon.
Suspicions of a data breach at Visible started Monday when some customers saw random unauthorized purchases on their Visible accounts:
@Visible I was just hacked! They sent themselves a phone and changed my address! Urgent!’ How do i@stop this!!!! HURRY!!
— Kelley (@ksmrz77) October 12, 2021
On the Visible subreddit, users have reported seeing unauthorized orders placed from their accounts, with a shipping address different from theirs:
Social media was flooded with similar reports of customers not receiving a response from Visible for days:
Great, someone hacked my @visible account, purchased iPhone using my PayPal, and changed the password. @visiblecare is not responding. Scammer also tricked me with email spams in an effort to make me miss any email notifications from Visible.
— Kristian Kim (@kristiankim) October 13, 2021
Credential stuffing likely the cause of hacked accounts
In an email sent out to customers and a public announcement posted yesterday, Visible shared what could be the cause of these hacks:
“We have learned of an incident wherein information on some member accounts was changed without their authorization. We are taking protective steps to secure all impacted accounts and prevent any further unauthorized access,” said Visible in an announcement. “Our investigation indicates that threat actors were able to access username/passwords from outside sources, and exploit that information to login to Visible accounts. If you use your Visible username and password across multiple accounts, including your bank or other financial accounts, we recommend updating your username/password with those services.”
Rather than a data breach at Visible itself, the company’s wording makes it sound like customer credentials were obtained from a third-party leak or breached database and then used to access customer accounts—a practice known as credential stuffing. The company advises customers to reset passwords and security information and will prompt users to re-validate payment information before further purchases can be made.
But experts have cast doubts on theories that this incident stemmed from credential stuffing, considering Visible also admitted to “technical issues” on its chat platform, with the company briefly unable to make any changes to customer accounts just this week. Visible’s tweet mentioning this information was deleted by the company.
Did Visible know about the incident since last week?
Although a public statement from Visible arrived yesterday, the company had first acknowledged the issue on Twitter on October 8, if not earlier. Interestingly, a vague reason was provided at the time—order confirmation emails having been erroneously sent out by Visible. “We’re sorry for any confusion this may have caused! There was an error where this email was sent to members, please disregard it.”
One Visible customer reacted angrily to the delay: “This response is completely irresponsible, given the fact that you are currently under attack and are aware of MANY users that have had their accounts compromised.”
Despite the panic generated among hacked customers, at least, one can find relief in the fact that customers won’t be held liable for any unauthorized charges. “If there is a mistaken charge on your account, you will not be held accountable, and the charges will be reversed,” states the company as the investigation continues.
In addition to monitoring for suspicious transactions, Visible customers impacted by the incident should change their credentials, both on Visible websites and any other websites where they have used the same credentials.