Visible, a carrier owned by Verizon, suffered what some believed was a data breach on Wednesday, with some customer accounts hacked (via ArsTechnica).
Hacking Into Visible
Reports from customers on Twitter and Reddit showed that they saw unauthorized purchases with their Visible account. The hacker(s) used the person’s payment information on file to order iPhones, and changed the passwords and/or email on the account.
On Wednesday Visible shared a statement:
We have learned of an incident wherein information on some member accounts was changed without their authorization. We are taking protective steps to secure all impacted accounts and prevent any further unauthorized access.
Our investigation indicates that threat actors were able to access username/passwords from outside sources, and exploit that information to login to Visible accounts. If you use your Visible username and password across multiple accounts, including your bank or other financial accounts, we recommend updating your username/password with those services.
The statement sounds like it was a credential stuffing attack, wherein accounts are broken into because the username and password had been leaked elsewhere. But as ArsTechnica reports, it’s possible Visible’s system was compromised earlier.
A tweet from a customer on October 8 saids they noticed an email thanking them for an order, when they didn’t order anything. Visible’s response said the emails was due to an error.
Visible says that customers won’t be held liable for these unauthorized purchases: “If there is a mistaken charge on your account, you will not be held accountable, and the charges will be reversed.”