Wireless carrier Visible denies data breach as account takeovers persist
Wireless carrier Visible denies data alienation as account takeovers persist
Some customers of the Verizon-owned Visible wireless service are getting a hard lesson well-nigh re-used passwords and how they tin pb to compromised accounts. Meanwhile, the carrier itself seems similar information technology's being taught a lesson virtually ameliorate advice with its customers.
The problem surfaced earlier this week, when some Visible customers posted reports on Reddit that someone had accessed their user accounts with the wireless service and changed their login information.
- Best unlimited data plans — where Visible'southward plan ranks
- The all-time cheap cell telephone plans
- Plus: Android phones track y'all even when yous opt out, new research reveals
Many of the same customers also said that unwanted charges had been made through their Visible accounts, unremarkably in the form of the person seizing command of the business relationship helping themselves to a new iPhone in the Visible online store. Others said they'd not been able to get much — or any — help from Visible, which has no customer-support telephone service.
"Dude my account got hacked and they shipped out a iPhone 13 worth 1k that was taken from my PayPal," wrote ane user on Reddit. "I am fuming!"
Visible is a low-cost cellular carrier, owned past Verizon, that offers inexpensive unlimited-data plans and also sells phones and wearables. All customer sales and services are done through the Visible website.
"A small number of fellow member accounts was inverse without their authorization," Visible posted on Reddit in response to the complaints. "We don't believe that any Visible systems have been breached or compromised. ... We recommend y'all review your account contact information and modify your password and security questions to your Visible account."
Visible told Tom's Guide that the incidents weren't the results of a data breach in which hackers obtained login data from Visible.
"Our investigation indicates that threat actors were able to access username/passwords from exterior sources, and exploit that data to login to Visible accounts," a company spokesperson told u.s.a. through a statement.
Tom's Guide too asked Visible for comment on the customer complaints virtually responsiveness, merely we have yet to receive an answer.
Possible credential stuffing
At least some of the affected Visible users may be victims of "credential stuffing." That's when a crook takes some of the billions of credential sets (username and password combinations) floating effectually the internet every bit the result of years of information breaches and phishing attacks, then shoots those credential sets rapid-fire at specific websites.
A few of those login attempts volition work considering practically everyone reuses at to the lowest degree some passwords. Even if the success rate is just a couple of percentage points, the crook will exist able to take over a lot of accounts if they're starting with millions of stolen credentials.
Some Visible users on Reddit and Twitter did say they had unique passwords, just Visible'due south ain tweets suggest that credential stuffing exactly what the visitor thinks is going on.
"If you lot utilise your Visible username & password beyond multiple accounts, including your bank/financial accounts, we recommend updating your username/countersign with those services," the company said Wednesday (Oct. 13).
🚨If you apply your Visible username & password across multiple accounts, including your depository financial institution/fiscal accounts, we recommend updating your username/password with those services. Reminder: Visible volition never phone call & ask for your password, hush-hush questions or business relationship PINs.🚨October 13, 2021
Too late to change your Visible password?
Nonetheless, many Visible users said they weren't able to change their own account passwords on the visitor website — a step that Visible may accept taken to stop more account takeovers.
"Because Visible disabled the reset your password feature (why??? I have no idea) the new password reset link is now going to become to the beginning email address the hacker inverse information technology to," said one Reddit user. "This is such a sh*t bear witness and I see no way Visible can survive this."
"As soon as nosotros were fabricated aware of the issue, we immediately initiated a review and started deploying tools to mitigate the effect and enable boosted controls to further protect our customers," Visible said as office of its statement.
Many online services offer two-factor authentication (2FA) to account holders, an optional feature that makes it much more than difficult for attackers to break into accounts even if they know the username and password. Visible does non appear to have this option.
If you lot take a Visible account, and y'all think y'all may accept reused your Visible username and password on other websites, then start by changing your password on each of those other sites — and make each new password stiff and unique.
To avoid being overwhelmed by lots of complicated passwords, use one of the best countersign managers — some of which are free.
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul commuter, lawmaking monkey and video editor. He's been rooting around in the data-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom'south Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random Television set news spots and even moderated a console discussion at the CEDIA home-applied science conference. You can follow his rants on Twitter at @snd_wagenseil.
Source: https://www.tomsguide.com/news/visible-account-takeovers
Posted by: hallconsicur1998.blogspot.com
0 Response to "Wireless carrier Visible denies data breach as account takeovers persist"
Post a Comment