It's unbelievable that UA uses a 4 digit PIN for account security in this day and age. Anyone who has this happen to them should report it to the FTC. There are some major privacy risks here that they will be very interested in.

The IT professionals on UA's staff that let this state of affairs continue are arguably engaged in professional malpractice. Especially if any of them have a CISSP.