Eurostar forces 'password resets' — then fails and locks users out

International high-speed rail operator, Eurostar, is emailing its users this week and forcing them to reset their account passwords in a bid to "upgrade" security.

But users who visit the password reset link  are met with "technical problems," thereby making it impossible for them to reset their password or log in to their accounts.

Eurostar is well known for connecting the United Kingdom to France, Belgium, and Netherlands with most of its trains crossing the Channel Tunnel.

Eurostar password reset bug is locking passengers out

Eurostar is emailing all its customers this week, forcing them to reset their account passwords as the railway operator claims to be "busy" upgrading account security for everyone.

BleepingComputer also received such an email notification shown below:

Eurostar password reset email sent February, 13th (BleepingComputer)

"To continue using your Eurostar account, you'll need to reset your password," reads the email. "If you also use the Eurostar mobile app, you'll need to update it to the latest version."

Navigating to the "reset password" link, however, and following through the instructions does not solve anything. Instead, users are met with the following error message:

"Sorry, we're having a few technical problems so we can't send the email at the moment. Please try again a little later."

Password reset fails due to 'technical problems' (BleepingComputer)

BleepingComputer observed the behavior occurring yesterday, shortly after we tested the link in the email notification. The issue is persisting today.

The bug has caused increased frustration among Eurostar passengers and users around the world who are now effectively locked out of their accounts.

Upon every successful log in attempt, users are presented with the password reset interstitial that won't let them access their account until a password reset is performed. However, the password reset never takes place due to the aforementioned technical error.

Eurostar password reset interstitial after log in (BleepingComputer)

"@Eurostar how to tell your customers you hate them without saying it: lock everyone's account and make it impossible to reset their password," tweets one user.

Several other annoyed users chimed in:

Sending emails out to "dear customer" then sending them on a "We're having technical difficulties Please try again a little later" loop, three days after this strikes me as a "data breach" situation...... Can we have some clarification please @Eurostar ? https://t.co/xgvYnFgooG

We further observed confused customers who panicked, mistaking Eurostar's (legitimate) email for a phishing attempt.

Ongoing maintenance to blame?

In a long Twitter thread posted Friday, Eurostar admitted being aware of users met with issues when attempting to access Club Eurostar accounts and blamed it on ongoing maintenance. But, this was prior to the company sending out password reset emails.

Previously, customers reported their bookings and information being "missing" from their accounts: 

We're aware that bookings are missing when accessing an account but can confirm that the bookings are still there and haven't been removed if were previously in the account. The account maintenance upgrade still has some finalisation work to complete and bookings will show again.

The railway operator, at the time, had advised customers to clear their browser cookies or re-attempt registration using the same email address. But this does not seem to work as a solution for anyone [1, 2].

Eurostar last enforced a widespread password reset in 2018 when it had experienced a data breach, as reported by The Telegraph at the time.

We are yet to find out if the forced password reset is indeed Eurostar's way of tightening account security, or if the action is prompted by a cybersecurity incident, such as unauthorized access to systems or a data breach.

BleepingComputer has emailed Eurostar with questions well in advance of publishing and we are awaiting their response.