Subway app’s security update leaves a queasy feeling in my stomach

Security researcher Scott Helme asked an interesting question on Twitter earlier today, after he received an email from Subway.

Has the sandwich retailer been hacked?

Scott tweet

Well, maybe it hasn’t been hacked (the company hasn’t said that it has suffered a security breach, so let’s try to assume the worst hasn’t happened for once in our lives), but what certainly has happened is that the company has rolled out a new “security upgrade” version of its SUBCARD iOS and Android apps, has locked some users’ accounts, and reset passwords.

Sign up to our free newsletter.
Security news, advice, and tips.

Subway email

To ensure you have the best experience using SUBCARD®, we have upgraded our security to ensure your account information remains safe and secure. Please ensure that you have downloaded and are using the latest version of the SUBCARD® App available (version 3.4).

As part of this upgrade you may have received an email from SUBCARD® informing you that your account has been locked and your existing password is no longer valid. To continue to use your SUBCARD® account please download the new app now using the links below. It’s quick and easy to do, all you have to do is log out of the old app, download the new one and re-set a new password.

Hmm. Those are the kind of messages you might put out after you have found that your systems have been breached by hackers.

A number of other users of Subway’s app expressed their concern on Twitter.

But it’s also possible that Subway hasn’t been hacked. Maybe they have stumbled across a serious problem with their apps that could potentially be abused by online criminals, and they are taking pre-emptive steps.

Which, all in all, is a good thing. It’s just a shame they’re not being clearer about what is going on, so minds can be put at rest.

Visiting the app in the iOS App Store, doesn’t shed any more light on the matter – as the most recent update is just described as incorporating “minor bug fixes & security improvements”, although it does recommend logging out of the app before updating (presumably to ensure that passwords are reset).

Subway iOS app

Finally, if the app update is a regular security update it certainly sounds as if Subway is keen for you to be extremely careful with your password security online, advising users to change their passwords “across all sites you shop with”:

At SUBCARD® your online safety is our priority, so we’d also encourage you to take the opportunity to change your details across all sites you shop with, especially for those where you hold the same password details across multiple sites.

Again, that kind of message doesn’t inspire confidence that a data breach hasn’t happened.

Apparently the current (one assumes flawed) version of the app will not work after September 25th.

You can read more on this page on the Subway website.

The webpage, by the way, is called security.html…

My recommendation? Update the app now, or change your lunch plans.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

8 comments on “Subway app’s security update leaves a queasy feeling in my stomach”

  1. JGJones

    Security update plus need to change a password could be as simple as the fact that Subway was storing passwords in cleartext before and is now using hashing to store passwords and perhaps updated password policy (ie allow for long passwords using any characters?)

    Just a guess really!

    1. Graham CluleyGraham Cluley · in reply to JGJones

      Yes, that's a definite possibility.

      I don't think we should jump to any conclusions that Subway has been hacked. It's possible that they have found that they weren't securing customer data (such as passwords) properly and the security upgrade to the apps fixes that. Although it wouldn't have been ideal that they were doing that in the first place, it's a good thing if they are now fixing it.

      Like I said, it's a shame they're not sharing more information to put minds at rest.

    2. Scott Helme · in reply to JGJones

      If it was something like that though, they could just hash the existing passwords with whatever new process they were adopting and wouldn't need to reset passwords or lock accounts. There is no need to introduce that level of inconvenience to the user. The only reason I can think of to reset passwords and lock them out is if there was some kind of risk of exposure of the current password to prevent someone gaining access to your account. I've reached out to them for comment so will update Graham with any response I get. Hopefully this isn't anything sinister.

  2. Allan Watson

    It seems to be worded very similarly to the phishing scams that attempt to get people to click on a link to "upgrade" their bank account or Yahoo details. Unless Subway confirms that it is genuine, it should be warning its members very publicly to ignore it.

  3. Anonymous

    What does their app do? Why do people download it in the first place?

  4. Rachann

    My card has been hacked and points used/stolen.

  5. Rob

    YES it HAS been hacked. Just look on the darknet marketplace AlphaBay. In the last few months they have sold THOUSANDS of username and passwords for this App. Around £1.30 for accounts with over 1000points. Subway should just admit this – you can still buy accounts!!!

  6. James Battle

    My Subway app, is not recognized at my local restaurants, my prepaid orders won't go through, leaving no promise discounts. This Hacking situation has to be Stopped, Tuna wasn't even my order. BOGO is bogus, a SCAM, ONCE you get to the store, you order something anyway because you drove so far Just thinking I use to advertise for Subway, with a promise of discounts, that never happened

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.