We have held off for hours on reporting on a major security breach, in the hopes that Sprint would act. However, they have not, so we will report as others have in the media.
As of this report the exploit is still active on the Picture Mail web site.
Update: The problem appears to have been fixed on Sprint’s end, entering a valid number without password now generates an internal server error.
Update 2: Minutes after our last report, Sprint has taken Picture Mail web services offline for “routine maintenance and enhancements”…
Update 3: Picture Mail services have again been restored.