Comcast left customers of its Xfinity Mobile phone service vulnerable to hacks and identify theft by setting the default PIN codes of its accounts to “0000,” making it easy for malicious third parties to steal customers’ identities. The vulnerability was pointed out by one user who wrote in to The Washington Post to describe “a tech horror story,” which Comcast then confirmed.

The hacked user, from California, told the Post he had his phone number hijacked and transferred to a new account, with his credit card still attached to the new phone. The hacker then used the card to buy a new Apple computer in Georgia. If the PIN sounds familiar, that might be because Kanye West made headlines for setting his iPhone X password to 000000 — not a great look for any standard tech user or hip-hop mogul, but an even worse one for the IT department of a enormous telecommunications company servicing tens of millions of people.

“Working aggressively towards a PIN-based solution”

The user is only one of a few Xfinity Mobile customers who’ve reported having their numbers stolen, as Comcast didn’t protect its mobile accounts with a unique PIN or even a password. For those unfamiliar with Xfinity Mobile, it’s a service that piggybacks of Verizon’s network, but complements it using Wi-Fi hotspots scattered around the country. As a result, it typically offers lower-cost data plans, although the company has been recently placing restrictions on mobile data usage to try and curb high-bandwidth video viewing.

On Xfinity forums, one user who said his number was ported noted that Comcast told him to file a police report, but the company then didn’t help him get the number back to his account, possibly because the number was already with another carrier that Comcast had no control over. Another user pointed out that two-factor authentication wouldn’t help in this case, as it wouldn’t prevent a hacker from porting out the number.

“We’re aware of a very small number of customers impacted by this issue, but even having one customer impacted by this is one too many,” a Comcast spokesperson tells the Verge. The company said it had added more security around porting phone numbers to new accounts and is also “working aggressively towards a PIN-based solution.” It’s also reaching out to affected customers to help fix the issue on a case-by-case basis. Comcast says such situations are typically only possible because hackers are using personally identifiable information, such as a password-protected Xfinity Mobile account number, that may been exposed as the result of other unrelated data breaches.

Still, Comcast doesn’t really explain why 0000 was the default PIN to begin with. It’s advising users to use strong, unique passwords and enable multifactor authentication, but both measures only help if their information hasn't yet been compromised in a previous breach.

Disclosure: Comcast is an investor in Vox Media, The Verge’s parent company.