Thanks to for finding the story.
Virgin Mobile Claims System is Secure
Virgin Mobile claims that it uses "standard industry practices" to safeguard personal information of its users.
However, many companies require at least 8-digit passwords for user accounts and permit (or require) characters, digits and sometimes symbols and mixed case. They also lock a user out after a certain number of attempts.
Apparently, Virgin Mobile only uses 6-digit passwords for its U.S. account holders. Even worse, the passwords can only be made up of digits (0-9). That means there are only about a million possible passwords. That may seem like a lot to a person, but to a program trying to guess the password using "brute force" techniques, it can do so fairly quickly.
User Cracked Own Password
One user claims to have cracked his own password using simple programming techniques to attempt a login every few seconds and guess the password in only a few hours. Almost anyone with a user's phone number and basic coding knowledge could "brute force" the password, charge the account and even purchase a new phone.
And, according to his contract with Virgin Mobile, the user would have little recourse, because anyone who successfully logs in could be considered an authorized user.
Virgin Mobile may have already fixed part of the problem. The user who cracked his own password tweeted today that he was not able to brute force his password anymore, but that the system still did not lock him out after 100 attempts.