Wireless carrier Visible denies data breach as account takeovers persist

Wireless carrier Telescopic denies data breach as account takeovers persist

(Double credit: Visible)

Some customers of the Verizon-owned Visible wireless service are getting a hard deterrent example about re-used passwords and how they tin can lead to compromised accounts. Meanwhile, the carrier itself seems like it's being taught a example virtually better communication with its customers.

The problem surfaced earlier this workweek, when close to Visible customers posted reports on Reddit that someone had accessed their substance abuser accounts with the wireless service and changed their login information.

Sunday-go-to-meeting unlimited data plans — where Visible's architectural plan ranks
The best cheap cell phone plans
Advantageous: Android phones cut you plane when you cop out, new research reveals

Many of the same customers too said that unwanted charges had been made through with their Visual accounts, usually in the organise of the person seizing control of the account helping themselves to a new iPhone in the Visible online store. Others said they'd not been able to get more — or any — help from Perceptible, which has no client-affirm telephone service.

"Dude my account got hacked and they shipped out a iPhone 13 worth 1k that was taken from my PayPal," wrote one substance abuser on Reddit. "I am fuming!"

Visible is a scummy-cost cellular carrier, owned by Verizon, that offers cheap unlimited-data plans and as wel sells phones and wearables. All client gross revenue and services are done through the Visible website.

"A small number of appendage accounts was changed without their authorization," Panoptical posted on Reddit in response to the complaints. "We don't consider that whatsoever Perceptible systems have been breached or compromised. ... We recommend you review your account contact information and change your password and security questions to your Visible account."

Visible told Tom's Guide that the incidents weren't the results of a information breach in which hackers obtained login data from Visible.

"Our investigation indicates that terror actors were competent to entree username/passwords from outside sources, and exploit that information to login to Visible accounts," a company spokesperson told us through a program line.

Tom's Templet also asked Ocular for comment on the customer complaints about responsiveness, but we have yet to undergo an answer.

Possible credential stuffing

Leastways extraordinary of the affected Visible users may embody victims of "certificate stuffing." That's when a crook takes some of the billions of credential sets (username and countersign combinations) floating around the internet as the result of years of data breaches and phishing attacks, then shoots those certificate sets rapid-attack at specific websites.

A some of those login attempts will do work because practically everyone reuses at least whatsoever passwords. Even out if the success rate is just a dyad of percentage points, the crook will constitute able-bodied to take over a lot of accounts if they're starting with millions of stolen credentials.

Both Telescopic users on Reddit and Chitter did say they had unique passwords, but Visible's own tweets suggest that credentials dressing exactly what the ship's company thinks is departure on.

"If you use your Visible username & password across multiple accounts, including your bank/financial accounts, we recommend updating your username/countersign with those services," the company aforementioned Wednesday (Oct. 13).

🚨If you use your In sight username & countersign across multiple accounts, including your bank/financial accounts, we urge updating your username/parole with those services. Monitor: Visible will never address & invite your password, unavowed questions or account PINs.🚨October 13, 2021

Too late to change your Visible password?

However, many Visible users aforementioned they weren't capable to interchange their own bill passwords on the company website — a step out that Visible may have taken to point more write u takeovers.

"Because Visible disabled the readjust your password have (wherefore??? I have no idea) the new parole reset link is today going to go to the first email address the cyberpunk changed it to," said i Reddit user. "This is such a sh*t show and I see no way Visible can go this."

"As soon as we were made aware of the go forth, we right away initiated a review and started deploying tools to mitigate the issue and enable additive controls to further protect our customers," Telescopic aforementioned as part of its affirmation.

Many online services extend ii-factor authentication (2FA) to account holders, an optional feature that makes it often more difficult for attackers to break into accounts even if they know the username and password. Visible does not appear to have this option.

If you bear a Visible account, and you think out you may have reused your Visible username and password on other websites, so start by changing your watchword on each of those other sites — and build each unaccustomed password strong and singular.

To avoid being overwhelmed by lots of complex passwords, employment one of the best parole managers — some of which are gratuitous.

Paul the Apostle Wagenseil is a senior editor program at Tom's Guide focused on security and privacy. He has also been a dishwasher, tyke James Cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for much 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in haphazard TV news spots and even tempered a panel discussion at the CEDIA abode-technology conference. You ass follow his rants on Chirrup at @snd_wagenseil.