Yes but if the algorithm and salt gets to be known then there are very few possibilities (10^n where n is max length of passcode) and unless people are setting 50 digit passcodes, then it is very crackable.

It's crackable by those that have the secret key i.e. AT&T and whoever they leak their key to. But presumably it's harder to steal a secret key and a database entry than it is to steal just a database entry.

The salt just obscures whether two users have the same code