Some customer accounts for the Verizon-backed all-digital prepaid brand Visible were breached after bad actors obtained password and login information from “outside sources,” the company confirmed on social media Wednesday.
The scope hasn’t been disclosed and Visible has not responded to questions from Fierce.
The Verge reported earlier in the week about customer complaints that surfaced on social media, including that hackers had changed account info locking users out, and in some cases making unauthorized charges like phone purchases using subscriber payment information.
Wednesday afternoon Visible posted on Twitter saying it was “aware of an issue in which some member accounts were accessed and/or charged without their authorization. As soon as we were made aware of the issue, we initiated a review & deployed tools to mitigate the issue, enabling additional controls to further protect our members.”
Additional details on what those tools and controls are wasn’t immediately available. Fierce will update with any new information.
A follow-up social media post from Visible said an investigation "indicates that threat actors were able to access username/passwords from outside sources," using that data to login into Visible accounts.
Most every platform recommends not using the same password across different accounts for security purposes and Visible suggested the same advice to users.
At least one commenter indicated Visible doesn’t offer two-step authentication, which adds security and can help if passwords are compromised. Visible hasn’t confirmed if employs two-step authentication or commented on whether some users remain locked out of accounts.
The unauthorized access to Visible accounts appears different than the most recent carrier data breach in that its internal systems don’t seem to have been targeted, but rather passwords found or obtained elsewhere. In August, a brute force cyberattack saw hackers gain access to T-Mobile servers and illegally obtain data on more than 52 million current, former, and prospective customers including social security numbers, names, addresses and driver license info for some. No financial information was stolen but attackers gained device identifiers and PINs in some cases.
Earlier this month Syniverse, which supplies messaging services for AT&T, T-Mobile and Verizon, disclosed in an SEC filing that it was the target of a security breach that began five years earlier in May 2016 when someone gained access to databases within its network.
Just last week Facebook blamed an accidental routing misconfiguration for shutting down its backbone network and taking down the social media giant’s platforms, including Instagram, WhatsApp, and Messenger for much of the day in what was a massive a global outage. Facebook said it wasn’t aware of any malicious activity and that no user data was compromised.