Verizon-owned Seen, a finances mobile service owned by Verizon, has confirmed that hackers accessed and charged person accounts.
The incident, first reported by The Verge, got here to gentle earlier this week after Seen clients took to social media to report that their account had been hijacked. Some reported that their e-mail handle and password had been modified, and plenty of stated that undesirable fees had been made by their Seen accounts.
One buyer wrote within the Seen subreddit that their account was hacked and an iPhone purchased with that person’s linked PayPal account. One other stated that they had three iPhones ordered inside 24 hours of their title. “Every time a unique delivery/billing handle,” they stated.
Whereas Seen initially remained silent on the problem, the corporate on Wednesday confirmed on Twitter that “risk actors had been capable of entry username/passwords from outdoors sources, and exploit that info to log in to Seen accounts.” This, together with a follow-up tweet advising customers to not re-use passwords throughout a number of accounts, suggests these affected had been probably victims of a large-scale credential stuffing assault, whereby stolen account credentials, usually consisting of lists of usernames and/or e-mail addresses and corresponding passwords, are used to realize unauthorized entry to accounts utilizing automated login requests.
Nevertheless, though this implies that Seen itself wasn’t breached, many purchasers have highlighted the service’s lack of two-factor authentication (2FA) assist, which can have prevented the hijacking of accounts.
NFH has requested Seen whether or not it has plans to allow 2FA, however the firm has but to reply. The service has not but stated what number of customers are affected.
In a press release given to The Verge, the corporate stated: “Seen is conscious of a difficulty by which some member accounts had been accessed and/or charged with out their authorization. As quickly as we had been made conscious of the problem, we instantly initiated a assessment and began deploying instruments to mitigate the problem and allow extra controls to additional shield our clients.
“Defending buyer info — together with securing buyer accounts — is critically essential to our firm and our clients. As a reminder, our firm won’t ever name and ask in your password, secret questions or account PINs. When you really feel your account has been compromised, please attain out to us by way of chat at seen.com.”
Per the Seen subreddit, the corporate has additionally advised clients that, shifting ahead, “any purchases would require you to re-validate your fee info as an added safety measure.” The corporate can be advising customers to reset their passwords, significantly if it’s one which’s used for a number of providers.