Originally Posted by
Kingston
Compromised accounts come from brute forcing or password lists against an offline copy of the accounts database usually acquired through some other exploit.
So while no one is attacking your account with the live United system (and getting locked out), if anyone gets the password tables (even if hashed and salted) pins are trivial to break.
And most companies like to not disclose unauthorized access to these credentials.
Four digit credentials are terrible. Period.
If someone has a list of passwords
and PINs, what's the difference?
Since about three failed login attempts locks the account, the hysteria regarding PINs seems a tad overblown.