Wireless carrier Visible denies data breach as account takeovers persist

Four hands in shirt sleeves holding up smartphones displaying the Visible wireless carrier logo.
(Image credit: Visible)

Some customers of the Verizon-owned Visible wireless service are getting a hard lesson about re-used passwords and how they can lead to compromised accounts. Meanwhile, the carrier itself seems like it's being taught a lesson about better communication with its customers.

The problem surfaced earlier this week, when some Visible customers posted reports on Reddit that someone had accessed their user accounts with the wireless service and changed their login information.

Many of the same customers also said that unwanted charges had been made through their Visible accounts, usually in the form of the person seizing control of the account helping themselves to a new iPhone in the Visible online store. Others said they'd not been able to get much — or any — help from Visible, which has no customer-support telephone service.

"Dude my account got hacked and they shipped out a iPhone 13 worth 1k that was taken from my PayPal," wrote one user on Reddit. "I am fuming!"

Visible is a low-cost cellular carrier, owned by Verizon, that offers cheap unlimited-data plans and also sells phones and wearables. All customer sales and services are done through the Visible website.

"A small number of member accounts was changed without their authorization," Visible posted on Reddit in response to the complaints. "We don't believe that any Visible systems have been breached or compromised. ... We recommend you review your account contact information and change your password and security questions to your Visible account."

Visible told Tom's Guide that the incidents weren't the results of a data breach in which hackers obtained login data from Visible. 

"Our investigation indicates that threat actors were able to access username/passwords from outside sources, and exploit that information to login to Visible accounts," a company spokesperson told us through a statement.

Tom's Guide also asked Visible for comment on the customer complaints about responsiveness, but we have yet to receive an answer.

Possible credential stuffing

At least some of the affected Visible users may be victims of "credential stuffing." That's when a crook takes some of the billions of credential sets (username and password combinations) floating around the internet as the result of years of data breaches and phishing attacks, then shoots those credential sets rapid-fire at specific websites. 

A few of those login attempts will work because practically everyone reuses at least some passwords. Even if the success rate is just a couple of percentage points, the crook will be able to take over a lot of accounts if they're starting with millions of stolen credentials.

Some Visible users on Reddit and Twitter did say they had unique passwords, but Visible's own tweets suggest that credential stuffing exactly what the company thinks is going on.

"If you use your Visible username & password across multiple accounts, including your bank/financial accounts, we recommend updating your username/password with those services," the company said Wednesday (Oct. 13).

Too late to change your Visible password?

However, many Visible users said they weren't able to change their own account passwords on the company website — a step that Visible may have taken to stop more account takeovers.

"Because Visible disabled the reset your password feature (why??? I have no idea) the new password reset link is now going to go to the first email address the hacker changed it to," said one Reddit user. "This is such a sh*t show and I see no way Visible can survive this."

"As soon as we were made aware of the issue, we immediately initiated a review and started deploying tools to mitigate the issue and enable additional controls to further protect our customers," Visible said as part of its statement.

Many online services offer two-factor authentication (2FA) to account holders, an optional feature that makes it much more difficult for attackers to break into accounts even if they know the username and password. Visible does not appear to have this option.

If you have a Visible account, and you think you may have reused your Visible username and password on other websites, then start by changing your password on each of those other sites — and make each new password strong and unique. 

To avoid being overwhelmed by lots of complicated passwords, use one of the best password managers — some of which are free.

TOPICS
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.