New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Customers’ PINs Exposed From Monzo Security Glitch

Based in the UK, Monzo is a digital, mobile-only bank that has asked nearly 480,000 users to change their PINs after disclosing that they were stored improperly. Their customers’ PINs are regularly stored in a secure part of their system that is inaccessible without proper authorization. However, a lapse in security was noticed and it was discovered that customers’ PINs were being stored in encrypted log files which Monzo engineers were able to access. Swift action was taken, the glitch was dealt with and engineer access of the files was disabled. All information that was included was also deleted. “By 5:25am on Saturday morning, we had released updates to the Monzo apps. Over the weekend, we then worked to delete the information that we’d stored incorrectly, which we finished on Monday morning,” said Monzo. Thankfully for their customers, no information was exposed externally and it was confirmed that none of the information was used for fraudulent activity. The company says that this issue affected less than a fifth of their customers and the affected users were sent an email regarding the issue.

Analyst Notes

First and foremost, users should immediately change their PINs. Monzo’s app should also be updated to version 2.59.0 for iOS and 2.59.1 for Android. Any suspicious activity that is noticed should also be reported to their bank or Monzo as soon as possible.