Verizon 'Visible' Wireless Accounts Hacked, Exploited To Buy New iPhones
from the whoops-a-daisy dept
Wireless subscribers of Verizon's Visible prepaid service received a rude awakening after hackers compromised their account, then ordered expensive new iPhones on their dime. Last week a company statement indicated that "threat actors were able to access username/passwords from outside sources," then utilize that access to login to Visible customer accounts. Hacked users say the attackers then utilized that access to order expensive kit, and, initially, getting Visible to do anything about it was a challenge:
Great, someone hacked my @visible account, purchased iPhone using my PayPal, and changed the password. @visiblecare is not responding. Scammer also tricked me with email spams in an effort to make me miss any email notifications from Visible.
— Kristian Kim (@kristiankim) October 13, 2021
The company seemed to initially claim this was an instance of "credential stuffing," or hackers obtaining login information obtained from other hacks or breaches of other services, then testing those logins in as many services as they can find. But experts doubted that claim, noting that the company had been complaining about issues with its chat services before acknowledging the hack. More specifically, Visible support reps were telling users that ambiguous "technical issues" had left it incapable of making any changes to customer accounts.
There are also questions about when the company knew about the hacks, with it initially trying to claim last week that the hack and subsequent iPhone orders were an ordinary system error:
Although Visible made a public statement yesterday, the company first acknowledged the issue on Twitter on October 8. At the time, Visible provided a vague reason: order confirmation emails erroneously sent out by the company.
"We're sorry for any confusion this may have caused! There was an error where this email was sent to members, please disregard it," the company told a customer.
Again, this is where just a basic, internet-era privacy law requiring greater transparency (and perhaps a little more accountability for industries and executives that not only keep failing to secure user data, but clearly aren't great about being honest with their users) would come in kind of handy. Instead we keep just looking at the problem and shrugging because purportedly drafting competent privacy laws with any competency is deemed impossible, letting the repercussions pile up.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: breach, data breach, hack, prepaid service, visible
Companies: verizon
Reader Comments
Subscribe: RSS
View by: Time | Thread
"Visible", as in your usernames and passwords are visible to everyone.
[ link to this | view in chronology ]
not surprised
I tried signing to visible twice over the summer.
The first time, they took so long to process, that my previous service had expired, and so they couldn't do the port any more. And the reason it took so long to process is that the field for the password to do the port, only takes a-z 0-9. no symbols. So anyone that routinely makes more secure passwords, it'll fail and you have to wait an hour to deal with their (outsourced) reps.
Their solution? I pay for another month on my existing carrier, and then immediately port over to them. I said no.
2 months later, we tried porting my son's phone over. They sent him the wrong sim card, sending him one for an S6 and not a note10. Again, their only real solution was to cancel the account and start again.
And why is it so bad? Well, I've heard rumor's that its because the people on Visible's chat, are those that don't make their stats as a Verizon Tech-Coach (and at Asureon, the ONLY stat that matters for Verizon Tech Coach tech support staff is sales of the Asureon protection plan. Solving things, customer ratings, etc. Irrelevant. And Visible doesn't have that, so the only way to get sales figures to move back up to 'the good account', would be to sell phones.
Gee I wonder why it's so easy to charge phones to accounts on a service that ONLY handles you through a crappy webchat, or through social media DMs
[ link to this | view in chronology ]
What has happened
What has happened to Verizon? Their customer service has gone south and it seems they are either oblivious to it or okay with it....neither of which is acceptable to customers. I am astonished to see what has happened.
[ link to this | view in chronology ]
Re: What has happened
My other half worked for them for a while.
most of it is outsourced, to Asureon (who until recently, also handled pretty much ALL cell phone insurance in the US). Over the last 3-4 years, as they've lost contracts (like DirecTV going to overseas after the AT+T merger), home depot and walmart warranty contracts being cancelled, etc. they've had to focus more on selling than anything else.
So their cellphone support (Verizon, sprint, and I think they just lost T-mobile) now have their metrics not based on actual support stats, or even average call time, or anything else. Instead the SOLE metric that matters is selling protection plans for home electronics and other add-ons.
And by that I mean that Tech support people are now expected to get at least one sale per day. Coaching isn't about better dealing with tech problems, or defusing angry customers, it's now almost entirely about 'rebuttals', and 'sales openings'. And if you don't sell at least 3/week, you're put on a warning plan, and if you don't increase sales still at that point, then you're fired.
Now if you try to lead an ambiguous statement that you could interpret as the customer expressing mild interest, and add it despite them not actually agreeing to it, that's not a problem. If you accidentally click 'add' when you didn't mean to and they didn't want it though, then you get in trouble - not for adding it, but for drawing the customers attention to the whole idea of 'cancelling it', and not 'well go ahead and try it and if you don't like it cancel at the end of the month', hoping they'll forget scam.
That's why it's gone downhill.
[ link to this | view in chronology ]
Re: What has happened
Your statement assumes that Verizon customer service was ever "North" in the first place. Pretty sure you won't find very many people agreeing with you on that one.
[ link to this | view in chronology ]
Re: What has happened
I mean, this is the same company that couldn't do basic math 10+ years ago...
https://consumerist.com/2010/02/23/verizon-didnt-know-difference-between-difference-between-0 02-and-00002/
[ link to this | view in chronology ]
Why is it I see this...
"threat actors were able to access username/passwords from outside sources,"
And in my head know the outside source was a hacking forum where someone has persistent access to Verizon has been selling account details for years.
Its just so clean to claim it was outside sources, when you were the only possible source of the data in the first place.
[ link to this | view in chronology ]
The best time to eat crow is when it is young and tender.
[ link to this | view in chronology ]