In an official Reddit announcement made on October 13th, Visible confirmed that some of its user accounts were high-jacked. The exact number of affected user accounts is not known, and although Visible confirmed the leak, they deny having suffered a data breach.
“Visible is aware of an issue in which some member accounts were accessed and/or charged without their authorization. As soon as we were made aware of the issue, we immediately initiated a review and started deploying tools to mitigate the issue and enable additional controls to further protect our customers.”
Visible is a Verizon-owned, all-digital wireless carrier in the U.S. It offers unlimited text, talk, data, and hotspot packages using Verizon’s 4G LTE and 5G Networks. The service supports Apple and Android devices which can also be ordered via its packages.
Thanks to its low-cost, all-you-can-eat data plans and aggressive marketing, it has erupted in popularity in recent years.
However, since Monday, October 12th, Visible users have started reporting instances of their accounts being high-jacked by threat actors. While some were lucky enough to be alerted on time and only had to change their login credentials, others were billed for expenses they did not authorize or make themselves, such as smartphone purchases. Hackers also changed some users’ email addresses as part of their hijacking attempt.
LIFAR’s proactive cyber resiliency subscription provides the manpower and expertise to immediately respond and remediate to cyber incidents and breaches, in addition to providing a full array of services to increase your company’s cyber resiliency.
Visible denies directly being responsible for the leak. Instead, it claims that credentials for high-jacked accounts were obtained elsewhere and used to log in to Visible user accounts:
“Our investigation indicates that threat actors were able to access username/passwords from outside sources and exploit that information to log in to Visible accounts. If you use your Visible username and password across multiple accounts, including your bank or other financial accounts, we recommend updating your username/password with those services.”
Without brick-and-mortar stores, customers’ only recourse was to contact Visible’s chat or email support. However, it seems as if Visible’s customer support department was overwhelmed in the wake of the incident as many Visible users were left unable to get through to support staff.
Visible’s Subreddit is still inundated with horror stories from new and existing users who got scammed as part of the
One user had the bad luck of only signing up with Visible and ordering a brand-new iPhone only to discover their account got hacked the very next day. The user woke up to a notification that their email had been changed, followed by a delivery address change notification.
After the initial complaints became public on that same Monday, Visible came out with the following statement downplaying the scale:
“We don’t believe that any Visible systems have been breached or compromised, nor that this unauthorized access to your Visible account is ongoing.”
However, as more and more accounts of hacked accounts started flooding in and the scope continued to grow, more and more questions started being asked about what exactly happened. This is also not the first high-profile security incident affecting Verizon customers after a mobile phishing scam earlier this year.
Could the Visible incident have been avoided?
Sad to say that it seems as if much of the fallout from the recent Visible incident could have easily been avoided.
While it seems as if lax security practices, such as reused passwords by some users, are also to blame, most of the fault lies with Visible for some of its more apparent failures.
Most glaringly, Visible does not offer any form of multi-factor authentication. Security experts widely tout MFA to prevent the vast majority of credential stuffing and brute force hacking attempts.
Another weakness seems to be relatively weak security questions which made them easy to bypass by threat actors.
Both are relatively low-effort, low-cost changes that can drastically improve the security of public-facing services such as Visible.
Low-hanging fruit aside, it also doesn’t look like Visible employed robust encryption and hashing protocols to mitigate the damage even should attackers penetrate their security perimeter.
However, users should also protect themselves by using strong password practices and not reusing credentials between accounts. Password managers and random password generators can help in this regard.