Security researcher Scott Helme asked an interesting question on Twitter earlier today, after he received an email from Subway.
Has the sandwich retailer been hacked?
Well, maybe it hasn’t been hacked (the company hasn’t said that it has suffered a security breach, so let’s try to assume the worst hasn’t happened for once in our lives), but what certainly has happened is that the company has rolled out a new “security upgrade” version of its SUBCARD iOS and Android apps, has locked some users’ accounts, and reset passwords.
To ensure you have the best experience using SUBCARD®, we have upgraded our security to ensure your account information remains safe and secure. Please ensure that you have downloaded and are using the latest version of the SUBCARD® App available (version 3.4).
As part of this upgrade you may have received an email from SUBCARD® informing you that your account has been locked and your existing password is no longer valid. To continue to use your SUBCARD® account please download the new app now using the links below. It’s quick and easy to do, all you have to do is log out of the old app, download the new one and re-set a new password.
Hmm. Those are the kind of messages you might put out after you have found that your systems have been breached by hackers.
A number of other users of Subway’s app expressed their concern on Twitter.
So, has the @SUBWAY card had a security breach and I've not noticed? Enforce app upgrade and password changes…. #suspicious
— Kelly (@kelly_tengi) August 24, 2015
"Due to a system upgrade, your old version of the SUBWAY® app has been locked and your existing password is no longer valid" yeah right…
— Phil Moore (@philleonono) August 24, 2015
But it’s also possible that Subway hasn’t been hacked. Maybe they have stumbled across a serious problem with their apps that could potentially be abused by online criminals, and they are taking pre-emptive steps.
Which, all in all, is a good thing. It’s just a shame they’re not being clearer about what is going on, so minds can be put at rest.
Visiting the app in the iOS App Store, doesn’t shed any more light on the matter – as the most recent update is just described as incorporating “minor bug fixes & security improvements”, although it does recommend logging out of the app before updating (presumably to ensure that passwords are reset).
Finally, if the app update is a regular security update it certainly sounds as if Subway is keen for you to be extremely careful with your password security online, advising users to change their passwords “across all sites you shop with”:
At SUBCARD® your online safety is our priority, so we’d also encourage you to take the opportunity to change your details across all sites you shop with, especially for those where you hold the same password details across multiple sites.
Again, that kind of message doesn’t inspire confidence that a data breach hasn’t happened.
Apparently the current (one assumes flawed) version of the app will not work after September 25th.
You can read more on this page on the Subway website.
The webpage, by the way, is called security.html…
My recommendation? Update the app now, or change your lunch plans.
Security update plus need to change a password could be as simple as the fact that Subway was storing passwords in cleartext before and is now using hashing to store passwords and perhaps updated password policy (ie allow for long passwords using any characters?)
http://plaintextoffenders.com/post/17148439770/subwaycouk-uks-subway-sandwiches-subways
Just a guess really!
Yes, that's a definite possibility.
I don't think we should jump to any conclusions that Subway has been hacked. It's possible that they have found that they weren't securing customer data (such as passwords) properly and the security upgrade to the apps fixes that. Although it wouldn't have been ideal that they were doing that in the first place, it's a good thing if they are now fixing it.
Like I said, it's a shame they're not sharing more information to put minds at rest.
If it was something like that though, they could just hash the existing passwords with whatever new process they were adopting and wouldn't need to reset passwords or lock accounts. There is no need to introduce that level of inconvenience to the user. The only reason I can think of to reset passwords and lock them out is if there was some kind of risk of exposure of the current password to prevent someone gaining access to your account. I've reached out to them for comment so will update Graham with any response I get. Hopefully this isn't anything sinister.
It seems to be worded very similarly to the phishing scams that attempt to get people to click on a link to "upgrade" their bank account or Yahoo details. Unless Subway confirms that it is genuine, it should be warning its members very publicly to ignore it.
What does their app do? Why do people download it in the first place?
My card has been hacked and points used/stolen.
YES it HAS been hacked. Just look on the darknet marketplace AlphaBay. In the last few months they have sold THOUSANDS of username and passwords for this App. Around £1.30 for accounts with over 1000points. Subway should just admit this – you can still buy accounts!!!
My Subway app, is not recognized at my local restaurants, my prepaid orders won't go through, leaving no promise discounts. This Hacking situation has to be Stopped, Tuna wasn't even my order. BOGO is bogus, a SCAM, ONCE you get to the store, you order something anyway because you drove so far Just thinking I use to advertise for Subway, with a promise of discounts, that never happened