Heads up: Verizon’s Visible MVNO accounts are getting hacked left and right

If you aren’t interested in shelling out for a full carrier phone plan, maybe MVNOs like Visible are able to fit the bill instead. Visible is owned by Verizon and competes primarily against AT&T’s Cricket Wireless and T-Mobile’s Metro, and has found popularity offering unlimited data plans, eSIM support, and 5G connectivity for relatively affordable prices. But if you’re a Visible customer, you might want to change your password now: Reports are piling up online of people complaining that their accounts have been hijacked.

Apparently some hackers are targeting Visible accounts and getting hold of their login credentials. In most of the reported hijacks, an attacker logs into someone’s Visible account, the email address is changed to prevent the user from doing something about it, their shipping address is changed, and then the attacker buys themselves a phone that’s charged to the account. The /r/Visible Reddit community is absolutely packed with reports, and others have taken to Twitter to complain as well.

Why is this happening? You might jump to assuming that a security breach had occurred in Visible’s database and hackers got hold of those users’ login credentials that way. However, according to a statement provided to XDA, that doesn’t appear to be the case:

Visible is aware of an issue in which some member accounts were accessed and/or charged without their authorization. As soon as we were made aware of the issue, we immediately initiated a review and started deploying tools to mitigate the issue and enable additional controls to further protect our customers.

Our investigation indicates that threat actors were able to access username/passwords from outside sources, and exploit that information to login to Visible accounts. If you use your Visible username and password across multiple accounts, including your bank or other financial accounts, we recommend updating your username/password with those services.

Protecting customer information — including securing customer accounts — is critically important to our company and our customers. As a reminder, our company will never call and ask for your password, secret questions or account PINs. If you feel your account has been compromised, please reach out to us via chat at visible.com.

Instead, it appears that hackers are getting ahold of usernames and passwords from other, unrelated data breaches and running those through Visible to see if they come across any valid credentials. However, some people are claiming that they got hacked even though they were using completely unique passwords generated by password managers, which raises some questions about that explanation.

In any case, Visible says it’s taking steps to try and mitigate this. In the meantime, if you haven’t been hacked, make sure to change your login information to avoid disasters.