Update icon

Visible Security Update

Earlier today, Visible shared a few tweets with updates on the security issue I posted about yesterday. Here’s the important bit:

Our investigation indicates that threat actors were able to access username/passwords from outside sources, and exploit that information to login to Visible accounts.

Taking Visible at face value, it looks like the attacker is exploiting information leaked in an unrelated data breach.1 Consequently, I’m not sure it’s entirely accurate to say Visible was hacked.2

I’m not sure what end game the attacker has planned. It sounds like many people are seeing fraudulent phone orders charged to the billing information on file in compromised accounts. Even if the fraudulent orders are fulfilled, it should be easy for Visible to track down the culprit. After all, the company knows where each phone is sent. Maybe I’m missing something.

Spitballing, I came up with a few possibilities:

  • Fraudulent orders could be a red herring to distract from the attacker’s real goal.
  • Multiple attackers could be working independently with the same compromised data.
  • An attacker could compromise numerous accounts and send phones to a large number of addresses. If only a small portion of the addresses were under the attacker’s control, it would be difficult and expensive for Visible to track down the attacker.

I don’t find any of these possibilities particularly likely. It’ll be interesting to see how this plays out.

Image reading "system hacked"

Huge Data Breach At T-Mobile

Yesterday, Joseph Cox at Motherboard reported that a hacker was trying to sell stolen data from 100 million T-Mobile customers. The compromised information isn’t trivial:

The data includes social security numbers, phone numbers, names, physical addresses, unique IMEI numbers, and driver licenses information, the seller said. Motherboard has seen samples of the data, and confirmed they contained accurate information on T-Mobile customers.

The hacker allegedly downloaded all of the data locally before losing access to T-Mobile’s servers.

Today, T-Mobile issued an evasive press release and acknowledged that its systems were compromised (emphasis mine):

We have been working around the clock to investigate claims being made that T-Mobile data may have been illegally accessed…We have determined that unauthorized access to some T-Mobile data occurred, however we have not yet determined that there is any personal customer data involved. We are confident that the entry point used to gain access has been closed…Until we have completed this assessment we cannot confirm the reported number of records affected or the validity of statements made by others.

Bullshit. Customers’ personal data was compromised. T-Mobile knows it.

I won’t be surprised if this data breach ultimately ends up looking similar in magnitude to the infamous 2017 Equifax fiasco. T-Mobile’s stock closed today about 3% down from its closing price on Friday.1

Update:
Lawrence Abrams at BleepingComputer shared an article with additional information and rumors. Here’s one interesting bit:

The threat actor claims to have hacked into T-Mobile’s production, staging, and development servers two weeks ago, including an Oracle database server containing customer data…’Their entire IMEI history database going back to 2004 was stolen,’ the hacker told BleepingComputer.