Visible, a US digital wireless carrier owned by Verizon, admitted that some customer accounts were hacked after dealing with technical problems in the past couple of days.
The announcement was made on Visible’s official sub-reddit by an employee who said the company is investigating an incident that led to a small number of accounts being breached.
As the post mentions: “We’re currently investigating an incident where information on a small number of member accounts was changed without their authorization. We’re working hard to take protective steps to secure these accounts…You should review any other accounts that share the same email, login, or password, and make any changes you determine necessary to secure those accounts.”
While the company’s statement provides limited details regarding the incident, the employee advised customers to secure accounts with credentials also used with other online services hinting at a potential credential stuffing attack.
The affected users noticed suspicious activity on their accounts and some report fraudulent card charges too, but they all claim inability to access the accounts and reset their passwords.
Users are also dealing with a privacy breach, as the account dashboards contain sensitive personal details like names, home addresses, and payment details.
Unfortunately, any payment methods added to the account cannot be removed, and only new ones may be added. The old methods can be deleted after a new one has been added, verified, and selected as primary.
In the context of a data breach, this procedure is cumbersome and unhelpful in remediating the situation.
Visible says there was no breach
Visible says that none of its systems have been breached by hackers and advises customers to change their password and security questions out of an abundance of caution.
Although the firm presents this as a limited-scope incident, the fact that the official Twitter handle of Visible’s support has admitted technical issues with the chat platform is raising suspicions.
Members trying to reach us – we’re currently experiencing technical issues with our chat platform and are unable to make any changes to your account. We’re addressing this issue immediately. Please bear with us while our team rectifies the situation.
— Visible Care (@visiblecare) October 13, 2021
The above was posted a few hours ago, while the security update notice on Reddit came on Monday. This means that whatever is plaguing the services of Visible appears to be persistent and still ongoing.
We have reached out to Verizon for a clarifying statement, but we have not heard back yet.
One crucial point raised by a large number of Visible users is the absence of two-factor authentication as a security option for protecting their accounts.
While 2FA isn’t the ultimate form of security, especially the SMS-based one, it could have provided effective protection against a mass-scale credential stuffing attack, assuming that this is what’s going on.