International high-speed rail operator, Eurostar, is emailing its users this week and forcing them to reset their account passwords in a bid to “upgrade” security.
But users who visit the password reset link are met with “technical problems,” thereby making it impossible for them to reset their password or log in to their accounts.
Eurostar is well known for connecting the United Kingdom to France, Belgium, and Netherlands with most of its trains crossing the Channel Tunnel.
Eurostar password reset bug is locking passengers out
Eurostar is emailing all its customers this week, forcing them to reset their account passwords as the railway operator claims to be “busy” upgrading account security for everyone.
BleepingComputer also received such an email notification shown below:
“To continue using your Eurostar account, you’ll need to reset your password,” reads the email. “If you also use the Eurostar mobile app, you’ll need to update it to the latest version.”
Navigating to the “reset password” link, however, and following through the instructions does not solve anything. Instead, users are met with the following error message:
“Sorry, we’re having a few technical problems so we can’t send the email at the moment. Please try again a little later.”
BleepingComputer observed the behavior occurring yesterday, shortly after we tested the link in the email notification. The issue is persisting today.
The bug has caused increased frustration among Eurostar passengers and users around the world who are now effectively locked out of their accounts.
Upon every successful log in attempt, users are presented with the password reset interstitial that won’t let them access their account until a password reset is performed. However, the password reset never takes place due to the aforementioned technical error.
“@Eurostar how to tell your customers you hate them without saying it: lock everyone’s account and make it impossible to reset their password,” tweets one user.
We further observed confused customers who panicked, mistaking Eurostar’s (legitimate) email for a phishing attempt.
Ongoing maintenance to blame?
In a long Twitter thread posted Friday, Eurostar admitted being aware of users met with issues when attempting to access Club Eurostar accounts and blamed it on ongoing maintenance. But, this was prior to the company sending out password reset emails.
Previously, customers reported their bookings and information being “missing” from their accounts:
The railway operator, at the time, had advised customers to clear their browser cookies or re-attempt registration using the same email address. But this does not seem to work as a solution for anyone [1, 2].
We are yet to find out if the forced password reset is indeed Eurostar’s way of tightening account security, or if the action is prompted by a cybersecurity incident, such as unauthorized access to systems or a data breach.
BleepingComputer contacted Eurostar with questions well in advance of publishing. A Eurostar spokesperson shared a statement with us:
“Our customers were contacted to reset their password following an update to our customer authentication system. The sudden volume of customers who attempted to do this caused some technical difficulties and we are working to resolve this as soon as possible. We apologise for any inconvenience this has caused.”