The digital bank Monzo has called on 480,000 customers to reset their pin codes after leaving them exposed in an internal database.
The security codes were stored in encrypted log files which were accessible to around 100 of Monzo’s engineers, the bank discovered on Friday.
On Monday it sent out emails to affected users, roughly a fifth of its customer-base, alerting them to the security flaw and asking them to update their apps.
The bank, one of a small number of so-called “challengers” which have attracted a loyal following among young people, has sought to talk up its security credentials in the past.
Last summer, for example, it revealed that its fraud team had used sophisticated analysis to protect customers from the Ticketmaster card-skimming attack.
Sign up to Emerging Threats, our weekly cyber security newsletter
In an email shared with affected users on Monday, Monzo said: “We’ve deleted any information that we stored in this way, and we’ve released an update to the Monzo app. As soon as we discovered the bug, we immediately made changes to make sure the information wasn’t accessible to anyone in Monzo.”
The bank said it had checked to see if any of the affected accounts had been subject to fraud and had found that they hadn’t. But it added: “If we’ve contacted you to tell you that you’ve been affected, you should head to a cash machine to change your PIN to a new number as a precaution.”
Monzo was valued at £2bn earlier this year, making it one of Europe’s most valuable fintech startups. It has 2.6 million customers and is on course to reach 3 million in the coming months, its chief executive, Tom Blomfield, has said.