We’ve fixed an issue that meant we weren’t storing some customers’ PINs correctly

Google “Monzo tells customers FT” and it should let you read the article if you don’t have an account.

Well there was no fraud & they’ve deleted the data now so :man_shrugging:

{ “errors”: [ { “message”: “permission denied”, “code”: “1100” } ] }


1 Like

Just got the email now. Luckily did not go to spam!
Still have fixed feelings about this whole ordeal.
The Twitter crowd seems to be in a congratulatory mood…

I highly doubt anything will come from it - but it’s not really the point.

There’s no fraud up until now, the majority of people also won’t change their PIN.

Nope you didn’t miss it… no one reply yet! :sweat: I’m assuming the worst and it’s both.

Found the email buried in my spam folder. Not too concerned about this, and I’m not going to go out my way to find an ATM.


I’m not impressed this happened in the first place. yes, there is communication which at least today’s is clear unlike the monzo plus launch (another story i’m slightly annoyed with Monzo at).

Two strikes now, (not including overdraft, example my last months 10 day overdraft cost me 31p at a competitor mobile bank compared to what would have been £5 with Monzo) really makes me think Monzo isn’t fit for my purposes.


Really not impressed and is rather concerning that this has happened at all.

However above @priyesh says that it’s only if you got a reminder of your card number or cancelled a standing order.

I haven’t done either of these for months so how long has this bug been present for? Surely the developers who had access to the logs should have noticed this earlier?

Thank you for being opened about this issue :raised_hands:

I know those logs could have been noticed and removed a whilst ago but at least Monzo has the honesty to come forward about it. Having found a security issue with a major UK bank in the past, I can tell from experience that they did everything they could to hide the issue and did not notify their customers at any time, even though some data had leaked.
Having the PIN in a log file is no big deal anyway as you need the physical card for the PIN to be useful

Thank you Monzo for investigating the impact and being open about it

1 Like

Out of interest can you share the security issue ?
Also you can report them to the ICO/FCA if they should have notified their customers.

Received the email, glad they told me but won’t be changing my PIN as I can’t cannot see any fraud happening from this tbh.

1 Like

Actually the PIN can be used to authorise bank transfers for those who do not have biometrics turned on - so if the PIN is associated with a customer account, that is a problem, and likely a big part of the reason for the advice to change PIN.


I’d suggest people get used to this sort of thing.

Every single large company around you is constantly secretly doing stuff like this every single day.

The only difference is that Monzo tell you. A conventional bank wouldn’t have dreamed of telling you about this. To be honest, I think the risk of this is so neglible that Monzo shouldn’t have even bothered telling people.

Alarming 0.5m+ people because a small set of people in Monzo who already have complete access to your money could have accessed your money through a more complicated route does not seem like a good thing to do and will likely lead to people taking future genuine security threats less seriously.


They’d need to login to your emails first to login to the account (hopefully)

Hopefully, yes. But I’m sure there are backend tools which could be manipulated if they fell into the wrong hands.

This could be said for literally any company, ever nowadays. We give our details out to so many places now if there was one person who decided to be malicious it wouldn’t be pretty

You’re wrong.
Banks never store PIN data in clear. They go to very long lengths to encrypt card sensitive data through HSM components, with keys only known to the HSM.
Once encrypted, no one from the bank can decrypt it and thus use the HSM for all related operations.
How did Monzo pass PCI and other audits with clear PIN’s stored in text files???


PIN I understand, but could you translate your other acronyms for a layman?