International high-speed rail operator Eurostar is emailing its users this week requiring them to reset their account passwords in a bid to “upgrade” security.

But users who visit the password reset link experience “technical issues”, which prevent them from resetting their password or logging into their accounts.

Eurostar is well known for linking the UK to France, Belgium and the Netherlands with most of its trains passing through the Channel Tunnel.

Eurostar password reset bug locks out passengers

Eurostar is sending an email to all its customers this week requiring them to reset their account passwords as the train operator claims to be “busy” improving account security for everyone.

BleepingComputer also received such an email notification below:

Eurostar password reset email sent February 2023
Eurostar password reset email sent on 13 February (Computer Beep)

“To continue using your Eurostar account, you will need to reset your password,” the email read. “If you also use the Eurostar mobile app, you will need to update it to the latest version.”

However, navigating to the “reset password” link and following the instructions doesn’t solve anything. Instead, users receive the following error message:

“Sorry, we’re having some technical issues, so we can’t send the email right now. Please try again later.”

Password reset fails
Password reset fails due to “technical issues” (Computer Beep)

BleepingComputer observed the behavior yesterday, shortly after testing the link in the email notification. The problem persists today.

The bug has caused increased frustration among passengers and Eurostar users around the world who are now effectively locked out of their accounts.

On every successful login attempt, users receive the password reset interstitial which does not allow them access to their account until a password reset is performed. However, the password reset never takes place due to the aforementioned technical error.

Eurostar password reset interstitial
Eurostar password reset interstitial after login (Computer Beep)

“@Eurostar how to tell your customers you hate them without saying it: lock everyone’s account and make it impossible to reset their password,” tweet an user.

Several other annoyed users chimed in:

We have further observed confused customers who panicked, mistaking the (legitimate) Eurostar email for a phishing attempt.

Continuous maintenance to blame?

In a lengthy Twitter thread posted on Friday, Eurostar admitted to being aware of problems users were having when trying to access Club Eurostar accounts and blamed it on ongoing maintenance. But it was Before to the company that sends password reset emails.

Previously, customers reported that their reservations and information were “missing” in their accounts:

The train operator, at the time, advised customers to clear cookies from their browser or try signing up again using the same email address. But that doesn’t seem to work as a solution for anyone [1, 2].

Eurostar last applied a widespread password reset in 2018 when it suffered a data breachas reported by The Telegraph at the time.

We have yet to find out whether forced password reset is indeed Eurostar’s way of increasing account security, or whether the action is prompted by a cybersecurity incident, such as unauthorized access to systems or a data breach.

BleepingComputer emailed Eurostar with questions long before publication and we are awaiting their response.


Source link