International high-speed rail operator Eurostar is emailing its users this week requiring them to reset their account passwords in a bid to “upgrade” security.

But users who visit the password reset link experience “technical issues”, which prevent them from resetting their password or logging into their accounts.

Eurostar is well known for linking the UK to France, Belgium and the Netherlands with most of its trains passing through the Channel Tunnel.

Eurostar password reset bug locks out passengers

Eurostar is sending an email to all its customers this week requiring them to reset their account passwords as the train operator claims to be “busy” improving account security for everyone.

BleepingComputer also received such an email notification below:

“To continue using your Eurostar account, you will need to reset your password,” the email read. “If you also use the Eurostar mobile app, you will need to update it to the latest version.”

However, navigating to the “reset password” link and following the instructions doesn’t solve anything. Instead, users receive the following error message:

“Sorry, we’re having some technical issues, so we can’t send the email right now. Please try again later.”

BleepingComputer observed the behavior yesterday, shortly after testing the link in the email notification. The problem persists today.

The bug has caused increased frustration among passengers and Eurostar users around the world who are now effectively locked out of their accounts.

On every successful login attempt, users receive the password reset interstitial which does not allow them access to their account until a password reset is performed. However, the password reset never takes place due to the aforementioned technical error.

“@Eurostar how to tell your customers you hate them without saying it: lock everyone’s account and make it impossible to reset their password,” tweet an user.

Several other annoyed users chimed in:

Sending emails to “dear customer” then sending them on a “We are experiencing technical difficulties, please try again later” loop, three days later that sounds like a “data breach” situation to me…. .. Can we have some clarification please @Eurostar ? https://t.co/xgvYnFgooG

— Mike B. (@brooomster) February 13, 2023

We have further observed confused customers who panicked, mistaking the (legitimate) Eurostar email for a phishing attempt.

Continuous maintenance to blame?

In a lengthy Twitter thread posted on Friday, Eurostar admitted to being aware of problems users were having when trying to access Club Eurostar accounts and blamed it on ongoing maintenance. But it was Before to the company that sends password reset emails.

Previously, customers reported that their reservations and information were “missing” in their accounts:

We are aware that reservations are missing when accessing an account, but we can confirm that the reservations are still there and have not been deleted if they were previously in the account. The account maintenance upgrade still has some finalization work to complete and bookings will show up again.

—Eurostar (@Eurostar) February 10, 2023

The train operator, at the time, advised customers to clear cookies from their browser or try signing up again using the same email address. But that doesn’t seem to work as a solution for anyone [1, 2].

Eurostar last applied a widespread password reset in 2018 when it suffered a data breachas reported by The Telegraph at the time.

We have yet to find out whether forced password reset is indeed Eurostar’s way of increasing account security, or whether the action is prompted by a cybersecurity incident, such as unauthorized access to systems or a data breach.

BleepingComputer emailed Eurostar with questions long before publication and we are awaiting their response.