*GolfClap* Fekkin brilliant.
You don't tell your users that you've created an account for them, then helpfully "password protected" it with their default PIN, and leave the systems unpatched so ScriptKiddies can do a simple BruteForceAttack to gain entry. Which then gives them the PIN to the user's account, which gives them the same admin rights over the account as the unnotified owner, whom then gets to find out the hard way that they're getting screwed through an attack vector they didn't even know existed. Who's brain dead, dip shit, mentally retarded, drooling on their own shoes in delight, padded helmet wearing, mittens with the connecting string, name sewn in the underwear, Speshul Snowflake idea was this, and how soon before we can witness their public execution for crimes against humanity? SonofabitchmotherfuckingassspelunkingdumbassFUCKTARDS!
Now if you'll excuse me, I've got to go verify that I don't have any accounts my provider hasn't bothered to tell me about. Then I'll change the password. Then I'll hunt down whom did it & feed them back their colon. Grrrrrr...