Originally Posted by
Kingston
...They get access to the customer database through an exploit. That database has hashed (not plain text) versions of the passwords and/or pins. That's how most companies store credentials. A username associated with a hashed credential.
They can try billions of combinations (quite easily and quite quickly) offline until they match the hash. Then they can go online and get access.
They're not sitting on united.com guessing PINs. When they go to united.com they already have your pin because they did their guessing offline....
Ok, but as it has been pointed out, users don't use their MP# on any other sites. The trouble likely stems from folks having a username/password to access their UA accounts that is the same as the combination that they use on numerous other sites. The MP#/PIN is therefore potentially much safer from hacks on other sites that would yield troves of usernames and passwords.