We’ve already reported the possibility that your Google Wallet account could be compromised with a brute-force attack. Now, Google Play has a similar issue that has come to light. If you have been using the PIN code verification feature in Google Play to protect your phone, read on.
There is a setting for the Google Play Market that enables a PIN code prompt when you are about to purchase something. The idea is to protect you in the event that someone steals your phone, and wants to buy a ton of apps on your dime.
The problem is that the PIN is stored on the device itself, not in the cloud. So, if a thief were to clear the data for the Google Play Market in the “Manage application” settings of your phone (the same way we explained to update Google Play from the Android market), the PIN would be gone, and the thief could buy anything they wanted in the Google Play Market using your credit card. If you realize your phone is gone, you can change your Google password so that Google Play will prompt the user to reenter the password. However, if you don’t realize your phone is gone right away, the thief might already be using your account to purchase things.
Hopefully Google will issue an update for this soon, but in the meantime, you can use a lock screen on your phone to keep unwanted people from messing with your stuff.