Multiple Verizon Visible users are reporting that their accounts have been hijacked, and used to fraudulently order phones — but the company disagrees with how the accounts were compromised.
Visible is a Verizon brand that has previously been known for running flash sales on iPhone models. It appears now, however, that the service does not use two-factor authentication to protect accounts, as many users are reporting issues with being hacked.
According to XDA, users are typically saying that their shipping address has been changed by a hacker. This person, or people, then seems to usually order an iPhone 13 to be sent to the the new address, and charged to the original account holder.
@Visible I was just hacked! They sent themselves a phone and changed my address! Urgent!' How do i@stop this!!!! HURRY!!
— Kelley (@ksmrz77) October 12, 2021
Reportedly, support is coming solely from other users, rather than Visible. The carrier has yet to acknowledge the issue publicly, but XDA says its actions show the firm is now aware of the problem.
Visible has now locked-out any changes to billing information, or changes of password. This is intended to stop the fraud, but it also leaves affected users unable to change their details back, or to remove billing information.
It's not clear whether Visible itself has directly suffered a data breach. Instead, it is possible that at least some of the accounts are being accessed because their passwords are the same as on another breached service.
However, an unknown number of users are reporting that they have been affected even though they used a randomly-generated password that was exclusive to their Visible account.
On Wednesday afternoon, Visible responded to AppleInsider's request for comment. The company denied that there was any account information exfiltration, and blamed reuse of passwords for the issue.
"Our investigation indicates that threat actors were able to access username/passwords from outside sources, and exploit that information to login to Visible accounts," the company said in a statement. "If you use your Visible username and password across multiple accounts, including your bank or other financial accounts, we recommend updating your username/password with those services."
The company says that it has initiated a review, and has "started deploying tools to mitigate the issue and enable additional controls to further protect our customers."
Update October 13, 1:54 PM Eastern time: Updated with statement from Visible.
2 Comments
Whooh, it's blame the victims time!
This is of course completely unrelated to the Syniverse hack where customer data from nearly 250 telecom companies was exfiltrated over at least a two year period.
My prediction- A few months from now we will get the obligatory apology when VZ realized they were hacked and this will be ignored by the FTC and forgotten by the public.
If this had happened to Apple, the class-action lawsuit would already be underway and congress would be demanding hearings.