Update 1 (10/13/2021 @ 13:30 ET): Visible has released the following statement about the incident, claiming that it was not breached:

Visible is aware of an issue in which some member accounts were accessed and/or charged without their authorization. As soon as we were made aware of the issue, we immediately initiated a review and started deploying tools to mitigate the issue and enable additional controls to further protect our customers. 

 

Our investigation indicates that threat actors were able to access username/passwords from outside sources, and exploit that information to login to Visible accounts. If you use your Visible username and password across multiple accounts, including your bank or other financial accounts, we recommend updating your username/password with those services. 

 

Protecting customer information -- including securing customer accounts -- is critically important to our company and our customers. As a reminder, our company will never call and ask for your password, secret questions or account PINs. If you feel your account has been compromised, please reach out to us via chat at visible.com.

The article as published on October 12, 2021, is preserved below.

Visible is a "digital" carrier owned by Verizon, with a greater emphasis on fair pricing and shared plans. The company has gained popularity for its relatively low pricing for unlimited data plans, and earlier this year, Visible introduced 5G service and eSIM support. However, Visible subscribers are now experiencing something a lot less fun than saving money — many accounts are being hijacked, often to purchase phones for whoever obtained access.

Social media sites, especially the Visible subreddit, are currently flooded with reports of Visible accounts being hijacked. In most cases, the email address associated with the account is reset by an unknown attacker, then the payment method on the account is used to order a phone.

"My account got hacked and they shipped out a [sic] iPhone 13 worth 1k that was taken from my PayPal," one Reddit user wrote. Another said, "I literally signed up for Visible yesterday, and bought a [sic] $812 iPhone through their website. I woke up to an email this morning telling me that the email address associated with my account has been changed. [...] 7 hours later I got an email saying the shipping address on my account has been changed, and no, I still wasn't able to log in."

It's not clear if Visible itself suffered a data breach, or if the attackers are using usernames and passwords obtained from other data breaches to log in — a tactic known as credential stuffing. Some Visible subscribers claim to have used randomly generated passwords for their accounts that were not used elsewhere, which would indicate Visible itself had a security breach, but it's probably still too early to tell. Visible also does not support two-factor authentication, which may have limited the damage from any security breaches.

Visible has not yet publicly announced the breach, but the company is definitely aware because it has locked password resets and changes to billing information. We have reached out to Visible for more information, and we will update this article if we hear back.

Thanks Moira for the news tip!