We’ve fixed an issue that meant we weren’t storing some customers’ PINs correctly

No information has been exposed outside Monzo, and there’s no evidence that this data has been used for fraud.

We’ve updated the app, and we’re about to contact some of you to let you know you should change your PIN as a precaution.

13 Likes

I’d be curious to know how/why this only affects some accounts. Was it only logs from certain services that erroneously didn’t strip the PIN? How long has the issue existed?

5 Likes

Yes, that’s right, only two features were affected by this issue:

5 Likes

I’ve cancelled a standing order but haven’t had a message :eyes:

We’re just about to start emailing people now

7 Likes

I’m now very curious as to why these services didn’t strip the PIN’s (though standing orders haven’t supported biometric auth on Android since it was introduced, so I have a feeling it hasn’t been touched since being implemented)…

Got the email on this.

5 Likes

Just got this email… instantly thought it was a scam!

I feel emailing customers this info isn’t the best way specially knowing how many scammy banking emails are sent daily…

I reported it to Customer Services before checking the blog… but seems its real… maybe an app notification would be better next time…

23 Likes

They’re asking you to change your PIN at an atm, what kind of scam would that be?

19 Likes

Agree.

I too received this and it was in my spam. Should I have not seen this thread (like a huge portion of customers won’t) I wouldn’t have known.

Not at all bothered about the security issue by the way and I appreciate the transparency but just better notification needed :slight_smile:

12 Likes

I think an in-app notification would be a pretty good idea, how many people really check their emails, perhaps do both?

7 Likes

I thought the same actually but coming to the community was my way of checking.

I’ve got no issue with the way Monzo have handled this otherwise. Things go wrong sometimes, at least they’re putting it right instead of brushing it under the carpet.

7 Likes

I’ve done neither of these, but i still got the email. Updating app is easy, but going to a cash point, man thats a ballache. Did this affect join account or solo accounts or both?

8 Likes

Thanks for the update I just changed my pin to 5947 :dancer:

47 Likes

:rofl::rofl::rofl::rofl::rofl:

2 Likes

A feed item would also be a really good idea. That way even if you miss both you’d notice that when you next open the app.

9 Likes

Agreed, especially for something like this

This is not good. I don’t want to change my PIN because someone at Monzo has made a mistake.
I’ve kept my side of keeping things safe doesn’t sound like Monzo have.
I’m sure a few will disagree but I’m not the one who has done anything incorrect here.

14 Likes

If I don’t change my pin and there is fraud is that called negligence, because the log files are encrypted and only some monzo staff may have seen it?

1 Like

That’s an interesting question. It definitely seems reasonable to take the risk given the extremely low likelihood of anything bad happening (and the fact that any problems would be ‘on Monzo’). I doubt Monzo would support this, but then you wonder why resetting your PIN couldn’t be enforced?

I’ve seen lots of voluntary password and PIN resets in the past and never thought about this until now.

2 Likes