But, when users click the password reset link, "technical issues" are apparently keeping them from changing their passwords or logging into their accounts.
The company, renowned for linking countries like the UK to France, Belgium, and the Netherlands with most of its trains crossing the Channel Tunnel, has been emailing customers where the railway operator would claim to be “busy” upgrading the account security for its customers.
Apparently, the email would read “Dear customer, we’ve been busy upgrading our security to protect your account and your personal details. To continue using your Eurostar account, you’ll need to reset your password. If you also use the Eurostar mobile app, you’ll need to update it to the latest version.”
Nevertheless, clicking the "reset password" link and following the navigation is ineffective. Users instead encounter the following error message: "Sorry, we're having a few technical problems so we can't send the email at the moment. Please try again a little later."
That bug has caused immense frustration among Eurostar passengers and users around the globe who are now effectively locked out of their accounts.
Users are shown the password reset interstitial after each successful login attempt, which prevents them from accessing their accounts until they reset their passwords. However, owing to the aforementioned technical problem, the password reset never occurs.
In regards to the issue, a user tweets “@Eurostar how to tell your customers you hate them without saying it: lock everyone’s account and make it impossible to reset their password.” Moreover, it was observed that the perplexed users, were mistaking Eurostar’s legitimate email for a phishing attempt.
In a lengthy Twitter thread on Friday, Eurostar acknowledged that users were experiencing problems accessing their Club Eurostar accounts and attributed this to ongoing maintenance. Yet, this was before the business started sending out emails for password resets.
Among many instances, customers have complained that their reservations and data were "lost" from their accounts.
The railway operator, at the time, advised users to clear their browser cookies or re-attempt registration with the same email address. Although, nobody seems to benefit from this as a solution.
The last time a comprehensive password reset was implemented by Eurostar was in 2018 following a data breach, as The Telegraph at the time reported.
It is still unclear whether the forced password reset is really Eurostar's attempt to increase account security or if it is a response to a cybersecurity issue like system compromise or data breach.
In regards to the situation, a Eurostar spokesperson addresses the issue with the statement, “our customers were contacted to reset their password following an update to our customer authentication system. The sudden volume of customers who attempted to do this caused some technical difficulties and we are working to resolve this as soon as possible. We apologize for any inconvenience this has caused.”
Google has recently introduced a fix for another zero-day bug in its Chrome browser and has also released a new security update for desktops. The bug (CVE-2020-16009) that affected the V8 component of the Chrome browser was discovered by Clement Lecigne and Samuel Groß of Google's Threat Analysis Group (TAG) and Google Project Zero respectively.