Monzo admits storing 480,000 PINs as plain text in log files

Monzo claims no one outside the challenger bank had access to PINs

Monzo has advised almost half a million customers to change their PIN after the British online-only bank discovered it was storing their codes as plain text in log files.

The bank said that the PINs were stored in a log file accessible to around 100 Monzo engineers who would normally not require access to customer PINs.

In total 480,000 of the bank’s customers are affected. Monzo has contacted those affected and advised them to go to a cash machine and change their PIN as a precaution.

It is basic cyber security practice to scramble passwords or PINs into an unreadable format – a process known as hashing – in case they are exposed deliberately or accidentally.

In this case, Monzo was also inadequately protecting the files containing the PINs by failing to maintain proper access control, increasing the likelihood that customer PINs would be exposed.

The bank said they discovered the misconfigured logs on Friday evening. On Saturday they updated the app so new PINs weren’t directed to the logs, and on Monday they deleted all the logs in question.

“No one outside Monzo had access to these PINs. We’ve checked all the accounts that have been affected by this bug thoroughly, and confirmed the information hasn’t been used to commit fraud,” the bank said in a blog post.

The incident is the first real blemish on Monzo’s record since the bank launched in 2015. The challenger bank boasts two million UK customers, 200,000 new monthly sign-ups and a unicorn (>$1 billion) valuation. In June, the bank formally announced its intention to expand into the US.