{"id":6033,"date":"2012-09-18T11:32:24","date_gmt":"2012-09-18T18:32:24","guid":{"rendered":"http:\/\/www.intego.com\/mac-security-blog\/?p=6033"},"modified":"2012-09-18T11:32:24","modified_gmt":"2012-09-18T18:32:24","slug":"virgin-mobile-vulnerability-leaves-6-million-subscribers-exposed","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/virgin-mobile-vulnerability-leaves-6-million-subscribers-exposed\/","title":{"rendered":"Virgin Mobile Vulnerability Leaves 6 Million Subscribers Exposed"},"content":{"rendered":"<p>What companies consider \u201cstandard industry practices\u201d for web security never fail to amaze. This time it\u2019s Virgin Mobile US in the firing line, having been outed as having some incredibly poor authentication on their website.<\/p>\n<p>The main problem here is that the Virgin Mobile US website forces you to use your cell phone number as your username and a 6-digit numerical PIN as your password, with unlimited attempts to guess that password. Having 6 digits as password possibilities means that there are only 1 million combinations. Given that the website gives restrictions for the number of repeated or sequential digits, it\u2019s really a whole lot less than that. I\u2019m sure the intent there was to help you create a more difficult-to-guess PIN, but when there are so few choices and so many attempts, it\u2019s really a wasted effort. And given that Virgin Mobile US has 6 million subscribers, this means that well more than 1 in every 6 customers have the same PIN.<\/p>\n<p>Virgin Mobile has not yet made any effort to fix this, despite being informed about the issue over a month ago\u00a0<a href=\"http:\/\/kev.inburke.com\/kevin\/open-season-on-virgin-mobile-customer-data\/\">by developer Kevin Burke<\/a>. Even more galling is that Virgin reps requested that he include both phone number and PIN in communications with them. So there are the keys to the metaphorical castle, in plain text, for anyone to steal. How convenient!<\/p>\n<p>This vulnerability in the Virgin Mobile website allows the following actions:<\/p>\n<ul>\n<li>Seeing who you\u2019ve been calling and texting<\/li>\n<li>Changing the handset associated with your account<\/li>\n<li>Purchasing a handset on your behalf, with your credit card on file<\/li>\n<li>Changing your mailing address, email address, or PIN<\/li>\n<\/ul>\n<p>At this time, there is no way for Virgin Mobile users to protect against access or change to their accounts. It\u2019s recommended that you remove your credit card information from the website, at least until this issue has been fixed.<\/p>\n<p>Burke provided Virgin Mobile with a list of possible ways to resolve this issue, which are all excellent security recommendations. Hopefully they get on this soon, as this could lead to some serious <a href=\"https:\/\/www.intego.com\/mac-security-blog\/4-security-lessons-learned-from-mat-honans-icloud-account-hack\/\">Honan-style hacking mayhem<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>What companies consider \u201cstandard industry practices\u201d for web security never fail to amaze. This time it\u2019s Virgin Mobile US in the firing line, having been outed as having some incredibly poor authentication on their website. The main problem here is that the Virgin Mobile US website forces you to use your cell phone number as [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":6034,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[13],"tags":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v17.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<meta name=\"description\" content=\"What companies consider \u201cstandard industry practices\u201d for web security never fail to amaze. This time it\u2019s Virgin Mobile US in the firing line, having\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.intego.com\/mac-security-blog\/virgin-mobile-vulnerability-leaves-6-million-subscribers-exposed\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Virgin Mobile Vulnerability Leaves 6 Million Subscribers Exposed - The Mac Security Blog\" \/>\n<meta property=\"og:description\" content=\"What companies consider \u201cstandard industry practices\u201d for web security never fail to amaze. This time it\u2019s Virgin Mobile US in the firing line, having\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.intego.com\/mac-security-blog\/virgin-mobile-vulnerability-leaves-6-million-subscribers-exposed\/\" \/>\n<meta property=\"og:site_name\" content=\"The Mac Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2012-09-18T18:32:24+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2012\/09\/Virgin_Mobile_USA.png\" \/>\n\t<meta property=\"og:image:width\" content=\"250\" \/>\n\t<meta property=\"og:image:height\" content=\"250\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Lysa Myers\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\",\"name\":\"Intego\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/\",\"sameAs\":[],\"logo\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#logo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png\",\"contentUrl\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png\",\"width\":875,\"height\":875,\"caption\":\"Intego\"},\"image\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#logo\"}},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#website\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/\",\"name\":\"The Mac Security Blog\",\"description\":\"Keep Macs safe from the dangers of the Internet\",\"publisher\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.intego.com\/mac-security-blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/virgin-mobile-vulnerability-leaves-6-million-subscribers-exposed\/#primaryimage\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2012\/09\/Virgin_Mobile_USA.png\",\"contentUrl\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2012\/09\/Virgin_Mobile_USA.png\",\"width\":\"250\",\"height\":\"250\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/virgin-mobile-vulnerability-leaves-6-million-subscribers-exposed\/#webpage\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/virgin-mobile-vulnerability-leaves-6-million-subscribers-exposed\/\",\"name\":\"Virgin Mobile Vulnerability Leaves 6 Million Subscribers Exposed - The Mac Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/virgin-mobile-vulnerability-leaves-6-million-subscribers-exposed\/#primaryimage\"},\"datePublished\":\"2012-09-18T18:32:24+00:00\",\"dateModified\":\"2012-09-18T18:32:24+00:00\",\"description\":\"What companies consider \\u201cstandard industry practices\\u201d for web security never fail to amaze. This time it\\u2019s Virgin Mobile US in the firing line, having\",\"breadcrumb\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/virgin-mobile-vulnerability-leaves-6-million-subscribers-exposed\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.intego.com\/mac-security-blog\/virgin-mobile-vulnerability-leaves-6-million-subscribers-exposed\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/virgin-mobile-vulnerability-leaves-6-million-subscribers-exposed\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.intego.com\/mac-security-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Virgin Mobile Vulnerability Leaves 6 Million Subscribers Exposed\"}]},{\"@type\":\"Article\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/virgin-mobile-vulnerability-leaves-6-million-subscribers-exposed\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/virgin-mobile-vulnerability-leaves-6-million-subscribers-exposed\/#webpage\"},\"author\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/12b11624d5a648c576d8dce6f93b230a\"},\"headline\":\"Virgin Mobile Vulnerability Leaves 6 Million Subscribers Exposed\",\"datePublished\":\"2012-09-18T18:32:24+00:00\",\"dateModified\":\"2012-09-18T18:32:24+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/virgin-mobile-vulnerability-leaves-6-million-subscribers-exposed\/#webpage\"},\"wordCount\":355,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/virgin-mobile-vulnerability-leaves-6-million-subscribers-exposed\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2012\/09\/Virgin_Mobile_USA.png\",\"articleSection\":[\"Security &amp; Privacy\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.intego.com\/mac-security-blog\/virgin-mobile-vulnerability-leaves-6-million-subscribers-exposed\/#respond\"]}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/12b11624d5a648c576d8dce6f93b230a\",\"name\":\"Lysa Myers\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/783af524dca7753ceb3cd9a576398a0e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/783af524dca7753ceb3cd9a576398a0e?s=96&d=mm&r=g\",\"caption\":\"Lysa Myers\"},\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/author\/lysam\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"description":"What companies consider \u201cstandard industry practices\u201d for web security never fail to amaze. This time it\u2019s Virgin Mobile US in the firing line, having","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.intego.com\/mac-security-blog\/virgin-mobile-vulnerability-leaves-6-million-subscribers-exposed\/","og_locale":"en_US","og_type":"article","og_title":"Virgin Mobile Vulnerability Leaves 6 Million Subscribers Exposed - The Mac Security Blog","og_description":"What companies consider \u201cstandard industry practices\u201d for web security never fail to amaze. This time it\u2019s Virgin Mobile US in the firing line, having","og_url":"https:\/\/www.intego.com\/mac-security-blog\/virgin-mobile-vulnerability-leaves-6-million-subscribers-exposed\/","og_site_name":"The Mac Security Blog","article_published_time":"2012-09-18T18:32:24+00:00","og_image":[{"width":"250","height":"250","url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2012\/09\/Virgin_Mobile_USA.png","type":"image\/png"}],"twitter_card":"summary_large_image","twitter_misc":{"Written by":"Lysa Myers","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Organization","@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization","name":"Intego","url":"https:\/\/www.intego.com\/mac-security-blog\/","sameAs":[],"logo":{"@type":"ImageObject","@id":"https:\/\/www.intego.com\/mac-security-blog\/#logo","inLanguage":"en-US","url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png","contentUrl":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png","width":875,"height":875,"caption":"Intego"},"image":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#logo"}},{"@type":"WebSite","@id":"https:\/\/www.intego.com\/mac-security-blog\/#website","url":"https:\/\/www.intego.com\/mac-security-blog\/","name":"The Mac Security Blog","description":"Keep Macs safe from the dangers of the Internet","publisher":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.intego.com\/mac-security-blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","@id":"https:\/\/www.intego.com\/mac-security-blog\/virgin-mobile-vulnerability-leaves-6-million-subscribers-exposed\/#primaryimage","inLanguage":"en-US","url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2012\/09\/Virgin_Mobile_USA.png","contentUrl":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2012\/09\/Virgin_Mobile_USA.png","width":"250","height":"250"},{"@type":"WebPage","@id":"https:\/\/www.intego.com\/mac-security-blog\/virgin-mobile-vulnerability-leaves-6-million-subscribers-exposed\/#webpage","url":"https:\/\/www.intego.com\/mac-security-blog\/virgin-mobile-vulnerability-leaves-6-million-subscribers-exposed\/","name":"Virgin Mobile Vulnerability Leaves 6 Million Subscribers Exposed - The Mac Security Blog","isPartOf":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/virgin-mobile-vulnerability-leaves-6-million-subscribers-exposed\/#primaryimage"},"datePublished":"2012-09-18T18:32:24+00:00","dateModified":"2012-09-18T18:32:24+00:00","description":"What companies consider \u201cstandard industry practices\u201d for web security never fail to amaze. This time it\u2019s Virgin Mobile US in the firing line, having","breadcrumb":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/virgin-mobile-vulnerability-leaves-6-million-subscribers-exposed\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.intego.com\/mac-security-blog\/virgin-mobile-vulnerability-leaves-6-million-subscribers-exposed\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.intego.com\/mac-security-blog\/virgin-mobile-vulnerability-leaves-6-million-subscribers-exposed\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.intego.com\/mac-security-blog\/"},{"@type":"ListItem","position":2,"name":"Virgin Mobile Vulnerability Leaves 6 Million Subscribers Exposed"}]},{"@type":"Article","@id":"https:\/\/www.intego.com\/mac-security-blog\/virgin-mobile-vulnerability-leaves-6-million-subscribers-exposed\/#article","isPartOf":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/virgin-mobile-vulnerability-leaves-6-million-subscribers-exposed\/#webpage"},"author":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/12b11624d5a648c576d8dce6f93b230a"},"headline":"Virgin Mobile Vulnerability Leaves 6 Million Subscribers Exposed","datePublished":"2012-09-18T18:32:24+00:00","dateModified":"2012-09-18T18:32:24+00:00","mainEntityOfPage":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/virgin-mobile-vulnerability-leaves-6-million-subscribers-exposed\/#webpage"},"wordCount":355,"commentCount":0,"publisher":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization"},"image":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/virgin-mobile-vulnerability-leaves-6-million-subscribers-exposed\/#primaryimage"},"thumbnailUrl":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2012\/09\/Virgin_Mobile_USA.png","articleSection":["Security &amp; Privacy"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.intego.com\/mac-security-blog\/virgin-mobile-vulnerability-leaves-6-million-subscribers-exposed\/#respond"]}]},{"@type":"Person","@id":"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/12b11624d5a648c576d8dce6f93b230a","name":"Lysa Myers","image":{"@type":"ImageObject","@id":"https:\/\/www.intego.com\/mac-security-blog\/#personlogo","inLanguage":"en-US","url":"https:\/\/secure.gravatar.com\/avatar\/783af524dca7753ceb3cd9a576398a0e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/783af524dca7753ceb3cd9a576398a0e?s=96&d=mm&r=g","caption":"Lysa Myers"},"url":"https:\/\/www.intego.com\/mac-security-blog\/author\/lysam\/"}]}},"jetpack_featured_media_url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2012\/09\/Virgin_Mobile_USA.png","jetpack_publicize_connections":[],"jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p4VAYd-1zj","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts\/6033"}],"collection":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/comments?post=6033"}],"version-history":[{"count":4,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts\/6033\/revisions"}],"predecessor-version":[{"id":6038,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts\/6033\/revisions\/6038"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/media\/6034"}],"wp:attachment":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/media?parent=6033"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/categories?post=6033"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/tags?post=6033"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}