[Update: Statement] Verizon-owned Visible network suffers suspected data breach
Visible is a “digital” carrier owned by Verizon, with a greater emphasis on fair pricing and shared plans. The company has gained popularity for its relatively low pricing for unlimited data plans, and earlier this year, Visible introduced 5G service and eSIM support. However, Visible subscribers are now experiencing something a lot less fun than saving money — many accounts are being hijacked, often to purchase phones for whoever obtained access.
Social media sites, especially the Visible subreddit, are currently flooded with reports of Visible accounts being hijacked. In most cases, the email address associated with the account is reset by an unknown attacker, then the payment method on the account is used to order a phone.
“My account got hacked and they shipped out a [sic] iPhone 13 worth 1k that was taken from my PayPal,” one Reddit user wrote. Another said, “I literally signed up for Visible yesterday, and bought a [sic] $812 iPhone through their website. I woke up to an email this morning telling me that the email address associated with my account has been changed. […] 7 hours later I got an email saying the shipping address on my account has been changed, and no, I still wasn’t able to log in.”
— Kelley (@ksmrz77) October 12, 2021
Are you going to address the fact that many of your users accounts have been compromised? People are having their information changed and phones ordered fraudulently and you all have said nothing.
— free britney (@nathanpt21) October 11, 2021
@Visible It’s time to make a statement addressing the fact that hundreds of members (including myself) had their accounts compromised & thousand dollar phones charged to their default payment method. You then disabled password resets & we’re no longer able to access our accounts.
— itswhatiam (@itswhatiam) October 11, 2021
It’s not clear if Visible itself suffered a data breach, or if the attackers are using usernames and passwords obtained from other data breaches to log in — a tactic known as credential stuffing. Some Visible subscribers claim to have used randomly generated passwords for their accounts that were not used elsewhere, which would indicate Visible itself had a security breach, but it’s probably still too early to tell. Visible also does not support two-factor authentication, which may have limited the damage from any security breaches.
Visible has not yet publicly announced the breach, but the company is definitely aware because it has locked password resets and changes to billing information. We have reached out to Visible for more information, and we will update this article if we hear back.
Thanks Moira for the news tip!