Wireless carrier Visible denies any data breach as the account takeover continues

Wireless carrier Visible denies any data breach as the account takeover continues

Some customers of Verizon-owned Visible Wireless Services are learning hard lessons about reused passwords and how they can lead to compromised accounts. Meanwhile, the carriers themselves appear to be learning lessons about better communication with their customers.

The issue surfaced earlier this week when some of Visible's customers posted a report on Reddit that someone had accessed their wireless service user accounts and changed their login information.

Many of the same customers also said that unwanted charges were made through their Visible accounts, usually in the form that the person who seized control of their account helped themselves to a new iPhone at Visible's online store. Others said they did not get much or any help from Visible, which does not have a customer support phone service.

"Hey, my account was hacked and they shipped me an iPhone 13 worth 1k taken from my PayPal," wrote one user on Reddit.

"I am aghast.

Visible is a Verizon-owned low-cost mobile carrier that offers cheap unlimited data plans and also sells phones and wearables. All customer sales and service is done through Visible's website.

"A few members' accounts have been changed without their permission," Visible posted on Reddit in response to the complaint. 'We do not believe Visible's systems have been compromised. We recommend that you review your account contact information and change your Visible account password and security questions."

Visible told Tom's Guide that the incident was not the result of a data breach in which hackers obtained login data from Visible.

"According to our investigation, the threat actor was able to access usernames/passwords from an external source and exploit that information to log into Visible accounts," a company spokesperson told us via statement.

Tom's Guide also reached out to Visible for comment on customer complaints about the response, but has not yet received a response.

At least some of the affected Visible users may have been victims of "credential stuffing." This is when bad guys get their hands on some of the billions of credential sets (username/password combinations) circulating on the Internet as a result of years of data breaches and phishing attacks, and fire a barrage of those credential sets at a specific website

In fact, the Internet is a "virtual" place.

Some of these login attempts will work, since virtually everyone reuses at least some passwords. Even if the success rate is only a few percent, fraudsters will be able to hijack many accounts if they start with millions of stolen credentials.

Some Visible users on Reddit and Twitter said they had unique passwords, but Visible's own tweets suggest that credential stuffing is exactly what the company thinks it is.

"If you are using your Visible username and password for multiple accounts, including banking/financial accounts, we recommend that you update your username/password on those services," the company said on Wednesday (October 13).

However, many Visible users said they were unable to change their account passwords on the company's website.

"Visible has disabled the password reset feature (I don't know why), so the reset link for a new password is sent to the email address where the hacker first changed it. This is a terrible show and Visible has no way to survive."

"As soon as we became aware of this issue, we immediately began a review and began deploying tools to mitigate the issue and enable additional controls to further protect our customers," Visible said as part of its statement.

Many online services offer two-factor authentication (2FA) to account holders. This is an optional feature that makes it more difficult for an attacker to break into your account even if they know your username and password; Visible does not appear to have this option.

If you have a Visible account and suspect that you are reusing your Visible username and password on other websites, start by changing your passwords on other sites.

Use the best password manager to avoid being overwhelmed by many complex passwords.

.

Categories