I also use VM, and I was concerned about this since the get-go.
What bothers me more is that when you call and speak with CS, in order to access your account, they ask for your password. UMMMMM...isn't that ALSO a bad thing? Why should "real" customer support on the inside of the system require my password that I use to log in from the outside? IIRC, people have verified that they require your password because they essentially log in to your account as you in order to see the information on your account (not to actually verify your identity). I'd be more worried about that first than some brute-force password crack.
@snowzsan--do you use their option for automatic payments?
I always thought it was lame that VM just used a 6 digit PIN. Especially with all the sites getting hacked into lately and things like that, you'd think they'd change their system. Maybe they will now that this has gone public...
I think another good question is, while it's clear that their extent of password security is terribad and needs to change, what is the real likelihood that you're going to get hacked? People would have to have your cell phone number AND know that you're a VM user. Is it possible to extract carrier from cell phone number?
I'm not defending the situation, but the real chance of brute-forcing an account is dependent on knowing the specific cell phone number = and knowing that it's a VM account. Think about myself, the only people I can think of who know that much about my cell phone are probably just my friends and family--I doubt they're going to try to brute force into my account.
Regardless, it should be fixed--I wonder if a petition is going to start up? Also, is there a stipulation of site access security that the FCC presides over? Can one lodge a complain on these grounds?
"Virgin Mobile told him there would be no further action on this issue from their end."
Yeah good luck getting away with not fixing this issue now Virgin! It's out in the open and not the kind of obscure exploit that only a handful of people can take advantage of. Anyone with minimal IT knowledge and access to Google can access any Virgin Mobile account at will now.