Cell service provider Visible has confirmed customer reports of attackers accessing and changing user accounts, and it has said that the breaches were carried out using usernames and passwords from “outside sources.” In a statement to The Verge (which you can read in full below), the Verizon-owned carrier said that it’s worked to “mitigate the issue” since it became aware of it, though it doesn’t mention exactly what measures it’s put in place to protect customers.
Starting earlier this week, customers of Verizon’s lower-cost service were reporting unauthorized charges from Visible on their PayPals or credit card statements, as well as emails telling them that their accounts’ passwords or addresses had been changed. Some customers have been frustrated with a lack of response from the company, as it hasn’t sent out emails or texts about the situation and was largely silent on social media until Wednesday, when it posted a Twitter thread.
In both its statement and on Twitter, the company recommends resetting your password if it’s one you’ve used for other services. It’s good advice, but the company has turned off its password reset system — it wasn’t available yesterday, and as of Wednesday morning you’ll still get an error if you try to change your password.
Hackers getting into accounts using passwords found elsewhere is very common, that’s why everybody (including Visible) says to use unique passwords for each service and to change your passwords in the case of a breach. Security experts also recommend using two-factor authentication, which can help protect you even if your password fails (like in a situation where you’re not able to change it). Visible, however, doesn’t support two-factor authentication, which means that its customers are still potentially open to these kinds of attacks.
Here’s Visible’s full statement.
Visible is aware of an issue in which some member accounts were accessed and/or charged without their authorization. As soon as we were made aware of the issue, we immediately initiated a review and started deploying tools to mitigate the issue and enable additional controls to further protect our customers.
Our investigation indicates that threat actors were able to access username/passwords from outside sources, and exploit that information to login to Visible accounts. If you use your Visible username and password across multiple accounts, including your bank or other financial accounts, we recommend updating your username/password with those services.
Protecting customer information — including securing customer accounts — is critically important to our company and our customers. As a reminder, our company will never call and ask for your password, secret questions or account PINs. If you feel your account has been compromised, please reach out to us via chat at visible.com.