Virgin Mobile U.S. promises its customers that it uses "standard industry practices" to protect its customers' personal data - but according to a Silicon Valley web developer, any first-year coder can bust into a subscriber's account, see who they call and text, register a different phone on the account and even purchase a new iPhone.
That's according to developer Kevin Burke, who discovered the flaws on his own account in August and notified the company, only to be told that the company had no intention of fixing its systems. Virgin Mobile U.S. serves millions of customers through pre-paid plans and is a wholly owned subsidiary of Sprint.
Virgin Mobile U.S. account security uses a customer's phone number as the account name, which is very guessable, and then requires a 6-digit PIN as the password — which only provides a million possible passwords. Even worse, the site allows as many password guesses as one likes — something Burke confirmed by writing a short script to guess his own password in a day.
Once an unauthorized user is in, they can change read a customer's communication logs, register a different phone to lock the customer out and read their text messages, change their address and order a new phone with the credit card on file. They can also lock a user out by changing the PIN and e-mail address on the account — without notification to the previous address.
Continued : http://www.wired.com/threatlevel/2012/09/virgin-mobile/
Also: Virgin Mobile USA user accounts vulnerable to brute-force attack