You need the PIN to transfer money from your account. Your PIN will be held by Monzo.
My email has just come through. Probably with the numbers they will send in batches
What happens if you don’t change you PIN? 
3 Likes
Whilst the email is clearly not a phishing email, surely an email about the security of accounts should include the customer name at the top? That is a very simple way that people are taught how to detect phishing emails.
2 Likes
I just changed my PIN to 12345.
4 Likes
Did any of the engineers attempt to access the data?
Also, because you’ve realised the PINs were in the logs, I assume someone must have been looking at the PINs?
1 Like
Just had it and not pleased.
3 Likes
No, it’s not. Banks are pretty careful to design systems so that PINs and passwords are stored securely.
Banks store hashed versions of the password, so “Password1” becomes “19513fdc9da4fb72a4a05eb66917548d3c90ff94d5419e1f2363eea89dfee1dd“
It is not possible to do that backwards - ie you cannot work out the password from the hash. It’s mathematically impossible.
What you can do, when a user tries to login, is test the password they’ve entered against the hash to see if it matches.
6 Likes
A post was merged into an existing topic: Removed Posts - August
Or at least come from monzo.com and not monzoemail.com
9 Likes
Email from can be very easily spoofed to be fair.
2 Likes
Please don’t tell me you were storing it as plain text.
smh.
Of course, but my point still remains either way.
1 Like
I used same PIN for ages and now you force me to change it… not good for a bank.
3 Likes
Most banks do NOT hash their passwords, although presumably they do PINs. Banks tend to use reversible encryption for at least some of your secrets. If they used hashing then they wouldn’t be able to ask you to provide the 6th, 8th and 11th characters.
7 Likes
I haven’t done either of the 2 mentioned services but still received the email. Bit confused…
Actually, i’m doubting myself about PINs, because you can get PIN reminders… 
1 Like
That’s bad practice anyway.
You should change them every few years. It’s not hard to remember 4 numbers.
Monzo,
This is absolutely shocking!!
Never mind all the comments from people saying “Thanks for the email”…
Firstly, send official emails from your official domain name, Monzo.com. Not monzoemail.com or any other domain name. C’mon, this is 2019 and scams are rife - you do yourselves no favours by using other domain names to send out important customer updates.
Secondly, what are you doing? The FCA have clear rules on this, all personally sensitive information should be kept encrypted, with staff access kept to a minimum. Now you tell us random engineers would have been able to see this data via a less secure internal system? Alarm bells are ringing, Monzo! I assume you have already alerted the FCA and the Information Commissioner to this security breach? If not, I’m about to save you the job…
Monzo, get your act together and do it quick. You’re a bank, and security should be your top priority.
28 Likes
Indeed. Typically the PINs will be stored encrypted, not hashed, with the encryption key protected in a hardware security module.
2 Likes