Virgin Mobile USA has fixed its login page, but only after an independent software developer went public with a potentially major security flaw that could have put its 6 million customers at risk.
As noted by Kevin Burke, a California-based software developer, Virgin Mobile was using a system in which customers were required to enter only a six-digit PIN to log into their accounts, which would have made it easy for hackers to guess. Burke reported this to Virgin Mobile a month ago, but the company said it wasn't an issue, so he went public on his personal blog and Twitter.
"This is horribly insecure. Compare a six-digit number with a randomly generated eight-letter password containing uppercase letters, lowercase letters and digits -- the latter has 218,340,105,584,896 possible combinations. It is trivial to write a program that checks all million possible password combinations, easily determining anyone's PIN inside of one day," Burke said in a blog post.