Visible, owned by Verizon, an economic cellular operator owned by Verizon, has confirmed that hackers have accessed and charged user accounts.
The incident, first reported by The Verge, was revealed earlier this week after Visible customers took to social media to report that their account had been hacked. Some reported that their email address and password had been changed, and many said that unwanted charges were made through their Visible accounts.
A customer wrote in the Visible subreddit that their account was hacked and an iPhone was purchased with that user’s PayPal account logged in. Another said he ordered three iPhones within 24 hours on his behalf. “Each time a different delivery / billing address,” they said.
While Visible initially remained silent on the matter, the company on Wednesday confirmed on Twitter that “threat actors were able to access username / passwords from external sources and exploit that information to log into Visible accounts”. This, along with a follow-up tweet advising users not to reuse passwords across multiple accounts, suggests that those affected may have been the victims of a large-scale credential-stuffing attack, for example. which stolen account credentials, typically consisting of lists of usernames and / or corresponding email addresses and passwords are used to gain unauthorized access to accounts using requests automated login.
However, while this suggests that Visible itself was not violated, many customers pointed to the lack of carrier two-factor authentication (2FA) support, which may have prevented the hacking of accounts.
TechCrunch has asked Visible if it plans to enable 2FA, but the company has yet to respond. The carrier has not yet specified how many users are affected.
In a statement given to The Verge, the company said, “Visible is aware of an issue where certain member accounts were viewed and / or billed without their permission. As soon as we were made aware of the issue, we immediately initiated a review and began deploying tools to mitigate the issue and allow additional controls to better protect our customers.
“Protecting customer information, including securing customer accounts, is of critical importance to our business and our customers. As a reminder, our company will never call to ask for your password, your secret questions or the PIN codes of your account. If you believe your account has been compromised, please contact us via the chat on visible.com.
According to the Visible subreddit, the company also told customers that in the future, “any purchase will require you to revalidate your payment information as an added security measure.” The company also advises users to reset their passwords, especially if it is a password used for multiple services.