Visible Security Update

Earlier today, Visible shared a few tweets with updates on the security issue I posted about yesterday. Here’s the important bit:

Our investigation indicates that threat actors were able to access username/passwords from outside sources, and exploit that information to login to Visible accounts.

Taking Visible at face value, it looks like the attacker is exploiting information leaked in an unrelated data breach.¹ Consequently, I’m not sure it’s entirely accurate to say Visible was hacked.²

I’m not sure what end game the attacker has planned. It sounds like many people are seeing fraudulent phone orders charged to the billing information on file in compromised accounts. Even if the fraudulent orders are fulfilled, it should be easy for Visible to track down the culprit. After all, the company knows where each phone is sent. Maybe I’m missing something.

Spitballing, I came up with a few possibilities:

Fraudulent orders could be a red herring to distract from the attacker’s real goal.
Multiple attackers could be working independently with the same compromised data.
An attacker could compromise numerous accounts and send phones to a large number of addresses. If only a small portion of the addresses were under the attacker’s control, it would be difficult and expensive for Visible to track down the attacker.

I don’t find any of these possibilities particularly likely. It’ll be interesting to see how this plays out.

Footnotes

Or possibly multiple breaches.
There may be no agreed-upon definition for what “hacked” means. While I find it reasonably accurate to say individual Visible accounts have been hacked into, I don’t think it’s quite right to say Visible was hacked (since its own databases stayed secure).