Product Reviews
Take Action

Fight for Fair Finance

Tell the administration and Congress to stand up for the consumer watchdog that protects you from financial fraud and abuse.
Take Action
Why Do We Have Campaigns?
We're fighting to ensure you and your family can get a fair deal in the marketplace, especially on the choices that matter most: health care, privacy, automobiles, food, finances and more. Join our campaigns and together, we'll hold corporations and lawmakers accountable.

Virgin Mobile accounts are vulnerable to hack, blogger says

Consumer Reports News: September 18, 2012 02:38 PM

Update: The Consumerist heard back from Sprint and then got a reaction from the original blogger; see the new post, Sprint Says Virgin Mobile Site Isn't Completely Insecure; Blogger Disagrees, for details.

A Virgin Mobile customer claims that it's easy for hackers to access customers' accounts via the wireless provider's website—and not only is there nothing customers can do to defend themselves, the folks at the Virgin don't really seem too concerned about it.

On his blog, Kevin Burke goes through the ins and outs of how he realized the vulnerability and how he attempted to bring it to the company's attention.

"There is no way for any of their 6 million subscribers to defend against this attack," he told [our sister blog] Consumerist. "I contacted Virgin Mobile over a month ago about the issue and they have refused to fix it."

The problem is really quite simple, he explains. Virgin Mobile requires you to use your phone number as your log-in, and the password can only be 6 numbers—no letters or special characters. And there doesn't appear to be a limit on how many failed attempts one can make before being locked out of one's account.

Thus, says Burke, he was able to write a "brute force" script that would keep attempting to generate PINs until it found the right one.

It's worth noting that Virgin Mobile's numerical passwords cannot have 3 sequential numbers or three of the same numbers in a row. While that would seem to cut down on the number of people who have passwords like "123123" or "111111," it seems to us like that just makes the hacker's job easier by eliminating potential passwords.

Regardless, Kevin says he was able to use the script to crack open his own account. He claims that if someone does this to a Virgin Mobile customer they can:

  • Read your call and SMS logs, to see who's been calling you and who you've been calling.

  • Change the handset associated with an account, and start receiving calls/SMS that are meant for you.

  • Purchase a new handset using the credit card you have on file, which may result in $650 or more being charged to your card.

  • Change your PIN to lock you out of your account.

  • Change the e-mail address associated with your account (which only texts your current phone, instead of sending an e-mail to the old address).

  • Change your mailing address.

Because this problem is tied to the Virgin Mobile password system and customers have no control over it, Burke say customers have no way of protecting their accounts.

He suggests a number of possible fixes for Virgin to implement, including:

  • Allow people to set more complex passwords, involving letters, digits, and symbols.

  • Freezing your account after 5 failed password attempts.

  • Requiring both your PIN, and access to your handset, to log in.

Starting in mid-August, Burke began trying to bring this to the attention of Virgin Mobile and its parent company, Sprint. Within a few days, Kevin says, he began communicating with a high-level Sprint customer service rep, but after several weeks of back-and-forth, he was told last Friday that there would be no further action on Sprint or Virgin's part.

[Consumerist has] reached out to the folks at Virgin Mobile and Sprint to see if they have an explanation for the lax password policy. If we get any response, we'll update the story.

For tips on how to stay safe on the web, create strong passwords, and more, see our free Online Security Guide at

This story originally appeared on The Consumerist.

Source: Virgin Mobile fails web security 101, leaves six million subscriber accounts wide open [Kevin Burke]

Chris Morran

E-mail Newsletters

FREE e-mail Newsletters! Choose from cars, safety, health, and more!
Already signed-up?
Manage your newsletters here too.

Electronics News


Cars Build & Buy Car Buying Service
Save thousands off MSRP with upfront dealer pricing information and a transparent car buying experience.

See your savings


Mobile Get Ratings on the go and compare
while you shop

Learn more