Quite a few Seen Wi-fi subscribers are reporting that their accounts had been hacked this week. Seen runs on Verizon’s 5G and 4G LTE networks and is owned by Verizon.
Suspicions of an information breach at Seen began Monday when some prospects noticed unauthorized purchases on their accounts:
@Visible I used to be simply hacked! They despatched themselves a cellphone and adjusted my tackle! Pressing!’ How do i@cease this!!!! HURRY!!
— Kelley (@ksmrz77) October 12, 2021
On the Seen subreddit, customers reported seeing unauthorized orders positioned from their accounts:
Social media was additionally stuffed with reviews of shoppers not receiving a response from Seen for days:
Nice, somebody hacked my @visible account, bought iPhone utilizing my PayPal, and adjusted the password. @visiblecare will not be responding. Scammer additionally tricked me with e mail spams in an effort to make me miss any e mail notifications from Seen.
— Kristian Kim (@kristiankim) October 13, 2021
Credential stuffing possible, firm says
In an e mail despatched to prospects and posted publicly yesterday, Seen shared what it believes triggered the hacks.
“We’ve got realized of an incident whereby data on some member accounts was modified with out their authorization. We’re taking protecting steps to safe all impacted accounts and forestall any additional unauthorized entry,” stated Seen within the announcement. “Our investigation signifies that menace actors had been in a position to entry username/passwords from exterior sources and exploit that data to log in to Seen accounts. In case you use your Seen username and password throughout a number of accounts, together with your financial institution or different monetary accounts, we advocate updating your username/password with these providers.”
The corporate’s wording means that buyer credentials had been obtained from a third-party leak or breached database after which used to entry buyer accounts, a apply often called credential stuffing. The corporate advises prospects to reset passwords and safety data and can immediate customers to re-validate cost data earlier than additional purchases may be made.
However an skilled has cast doubts on the credential-stuffing idea, noting that Seen admitted in a tweet to “technical points” with its chat platform this week, with the corporate briefly unable to make any modifications to buyer accounts. Seen has since deleted its tweet.
Did Seen know since final week?
Though Seen made a public assertion yesterday, the corporate first acknowledged the difficulty on Twitter on October 8. On the time, Seen supplied a imprecise purpose: order affirmation emails erroneously despatched out by the corporate.
“We’re sorry for any confusion this will have triggered! There was an error the place this e mail was despatched to members, please disregard it,” the corporate instructed a buyer.
One Seen buyer reacted angrily to the delay, saying, “This response is totally irresponsible, given the truth that you’re at the moment beneath assault and are conscious of MANY customers which have had their accounts compromised.”
Seen says prospects will not be held responsible for any unauthorized costs. “If there’s a mistaken cost in your account, you’ll not be held accountable, and the costs will probably be reversed,” the corporate stated.
Seen prospects impacted by the incident ought to monitor for suspicious transactions and alter their passwords, each on their Seen account and another web sites the place they’ve used the identical credentials.