Visible, a budget cellular carrier owned by Verizon, has confirmed that hackers accessed and charged user accounts.
The incident, first reported by The Verge, came to light earlier this week after Visible customers took to social media to report that their accounts had been hijacked. Some reported that their email address and password had been changed, and many said that unwanted charges had been made through their Visible accounts.
One customer wrote in the Visible subreddit that their account was hacked and an iPhone bought with that user's connected PayPal account. Another said they had three iPhones ordered within 24 hours in their name. "Each time a different shipping/billing address," they said.
While Visible initially remained silent on the issue, the company on Wednesday confirmed on Twitter that “threat actors were able to access username/passwords from outside sources, and exploit that information to log in to Visible accounts." This, along with a follow-up tweet advising users not to re-use passwords across multiple accounts, suggests those affected were likely victims of a large-scale credential stuffing attack, whereby stolen account credentials, typically consisting of lists of usernames and/or email addresses and corresponding passwords, are used to gain unauthorized access to accounts using automated login requests.
However, although this suggests that Visible itself wasn’t breached, many customers have highlighted the carrier’s lack of two-factor authentication (2FA) support, which may have prevented the hijacking of accounts.
TechCrunch has asked Visible whether it has plans to enable 2FA, but the company has yet to respond. The carrier has not yet said how many users are affected.
We're aware of an issue in which some member accounts were accessed and/or charged without their authorization. As soon as we were made aware of the issue, we initiated a review & deployed tools to mitigate the issue, enabling additional controls to further protect our members.🧵
— Visible (@Visible) October 13, 2021
In a statement given to The Verge, the company said: “Visible is aware of an issue in which some member accounts were accessed and/or charged without their authorization. As soon as we were made aware of the issue, we immediately initiated a review and started deploying tools to mitigate the issue and enable additional controls to further protect our customers.
“Protecting customer information — including securing customer accounts — is critically important to our company and our customers. As a reminder, our company will never call and ask for your password, secret questions or account PINs. If you feel your account has been compromised, please reach out to us via chat at visible.com.”
Per the Visible subreddit, the company has also told customers that, moving forward, “any purchases will require you to re-validate your payment information as an added security measure.” The company is also advising users to reset their passwords, particularly if it's one that's used for multiple services.