British banking start-up Monzo has reached out to around half a million customers after a glitch revealed plain text PIN details to engineers.
Those contacted have been asked to change their card PIN after the security hiccup, but it’s a substantial breach of security and bad news for the digital bank, which has some 2.5m customers and has just launched in the United States.
The flaw involved engineers being able to see the PIN for some customers in encrypted log files. However, as engineers were given access to these files to do their job, the numbers were revealed.
In a blog post mea culpa, Monzo says that they spotted the issue on Friday and was fixed in the early hours of Saturday, while sensitive information was wiped by Monday morning. Monzo also said they’ve contacted everyone affected, so if you didn’t get an email from the bank asking you to change your pin by now, you aren’t affected. Congratulations.
Related: Best VPN
Only two features have put users at risk, confirmed from the comments below the blog post. This is both “Getting a reminder of your card number” and “Cancelling a standing order.”
However, if you were affected in the breach, it appears changing your pin at a cash machine should be absolutely fine. In addition, the bank says that it checked all the accounts affected and believes at this time that the information has not been used for any fraudulent activities.
“If you think you see anything unusual on your account, please get in touch with us straight away through in-app chat or by ringing the phone number on your debit card,” say Monzo in their blog. “If we haven’t emailed you, you haven’t been affected. But you should still update your app to the latest version.”
Crucially, several people who have received the email did not get an app notification, so check your email’s spam folder and your non-priority inboxes.