Verizon-owned Visible customers claim account hijacks, bogus iPhone orders

article thumbnail

AppleInsider is supported by its audience and may earn commission as an Amazon Associate and affiliate partner on qualifying purchases. These affiliate partnerships do not influence our editorial content.

Multiple Verizon Visible users are reporting that their accounts have been hijacked, and used to fraudulently order phones — but the company disagrees with how the accounts were compromised.

Visible is a Verizon brand that has previously been known for running flash sales on iPhone models. It appears now, however, that the service does not use two-factor authentication to protect accounts, as many users are reporting issues with being hacked.

According to XDA, users are typically saying that their shipping address has been changed by a hacker. This person, or people, then seems to usually order an iPhone 13 to be sent to the the new address, and charged to the original account holder.

Reportedly, support is coming solely from other users, rather than Visible. The carrier has yet to acknowledge the issue publicly, but XDA says its actions show the firm is now aware of the problem.

Visible has now locked-out any changes to billing information, or changes of password. This is intended to stop the fraud, but it also leaves affected users unable to change their details back, or to remove billing information.

It's not clear whether Visible itself has directly suffered a data breach. Instead, it is possible that at least some of the accounts are being accessed because their passwords are the same as on another breached service.

However, an unknown number of users are reporting that they have been affected even though they used a randomly-generated password that was exclusive to their Visible account.

On Wednesday afternoon, Visible responded to AppleInsider's request for comment. The company denied that there was any account information exfiltration, and blamed reuse of passwords for the issue.

"Our investigation indicates that threat actors were able to access username/passwords from outside sources, and exploit that information to login to Visible accounts," the company said in a statement. "If you use your Visible username and password across multiple accounts, including your bank or other financial accounts, we recommend updating your username/password with those services."

The company says that it has initiated a review, and has "started deploying tools to mitigate the issue and enable additional controls to further protect our customers."

Update October 13, 1:54 PM Eastern time: Updated with statement from Visible.