Skip to main content

Virgin Mobile USA accounts easily hacked due to antiquated password policy, says developer

Virgin Mobile USA accounts easily hacked due to antiquated password policy, says developer


According to one developer, an antiquated password policy on Virgin Mobile USA's website makes it far too easy for malicious individuals to hack into users' accounts.

Share this story

We've had several examples in recent months of just how easy it can be for an individual's personal information to be compromised online. According to one developer, however, Virgin Mobile may be making it even easier for its users to be hacked due to outdated password requirements. In a recent post on his personal blog, developer Kevin Burke notes that Virgin Mobile USA's website forces users to use a six-digit PIN number as the password for their account. Without the ability to swap in letters or extend the length, it limits the number of possible combinations to an even 1 million. Given that a user's login is their phone number, a malicious individual would only need to have said phone number and the time to cycle through the various combinations in order to gain access to a given account — and all of the call history and personal information contained therein.

He was able to force his way into his own account with a simple script

Burke created a script to try to brute force his way into his own account, which he found he was able to do with ease — at no point was his account frozen due to incorrect login attempts, nor were his attempts throttled by the carrier's website. The developer writes that he contacted Virgin Mobile several times about the problem before publishing his article, but was told that no additional steps to resolve the issue were planned.

As of the writing of this article, all login services appear to be disabled at Virgin Mobile's website, though whether it is due to an internal problem, an intentional decision, or the result of external forces attempting to take advantage of the exploit Burke revealed is unclear at this time. We'll keep you updated with any further developments.