Mobile service provider Visible has confirmed customer reports of attackers accessing and modifying user accounts, and it has said the breaches were carried out using usernames and passwords from “external sources”. In a statement to The edge (which you can read in full below), Verizon’s airline said it has been working to “reduce the problem” since it became aware of it, though it doesn’t specify exactly what measures it has taken to protect customers.
Early this week, customers of Verizon’s lower-cost service reported unauthorized charges from Visible on their PayPal or credit card statements, as well as emails stating that their account passwords or addresses had been changed. Some customers have been frustrated with the company’s lack of response, as it failed to send emails or texts about the situation and was largely silent on social media until Wednesday, when it posted a Twitter thread.
If you use your Visible username and password for multiple accounts, including your bank/financial accounts, we encourage you to update your username/password with those services. Reminder: Visible will never call and ask for your password, secret questions or account PINs.
— Visible (@Visible) October 13, 2021
In both the statement and on Twitter, the company recommends resetting your password if it’s one you’ve used for other services. It’s good advice, but the company has disabled its password recovery system – it was unavailable yesterday, and as of Wednesday morning, you’re still getting an error if you try to change your password.
Hackers accessing accounts with passwords found elsewhere is very common, which is why everyone (including Visible) says to use unique passwords for each service and change your passwords in the event of a breach. Security experts also recommend using two-factor authentication, which can help protect you even if your password fails (such as in a situation where you can’t change it). However, Visible does not support two-factor authentication, meaning its customers are still potentially open to these types of attacks.
Here’s the full statement from Visible.
Visible is aware of an issue where some member accounts were opened and/or charged without their consent. Once we became aware of the issue, we immediately initiated an assessment and began implementing tools to address the issue and enable additional checks to further protect our customers.
Our investigation indicates that threat actors accessed username/passwords from external sources and misused that information to log into Visible accounts. If you use your Visible username and password for multiple accounts, including your bank or other financial accounts, we encourage you to update your username/password with those services.
Protecting customer information – including securing customer accounts – is critical to our business and our customers. As a reminder, our company will never call and ask for your password, secret questions, or account PINs. If you think your account has been hacked, please contact us via chat at visible.com.