Security researcher Scott Helme asked an interesting question on Twitter earlier today, after he received an email from Subway.
Has the sandwich retailer been hacked?
Well, maybe it hasn't been hacked (the company hasn't said that it has suffered a security breach, so let's try to assume the worst hasn't happened for once in our lives), but what certainly has happened is that the company has rolled out a new "security upgrade" version of its SUBCARD iOS and Android apps, has locked some users' accounts, and reset passwords.
To ensure you have the best experience using SUBCARD®, we have upgraded our security to ensure your account information remains safe and secure. Please ensure that you have downloaded and are using the latest version of the SUBCARD® App available (version 3.4).
As part of this upgrade you may have received an email from SUBCARD® informing you that your account has been locked and your existing password is no longer valid. To continue to use your SUBCARD® account please download the new app now using the links below. It’s quick and easy to do, all you have to do is log out of the old app, download the new one and re-set a new password.
Hmm. Those are the kind of messages you might put out after you have found that your systems have been breached by hackers.
A number of other users of Subway's app expressed their concern on Twitter.
— Kelly (@kelly_tengi) August 24, 2015
"Due to a system upgrade, your old version of the SUBWAY® app has been locked and your existing password is no longer valid" yeah right...
— Phil Moore (@philleonono) August 24, 2015
..”Our old app has been hacked, so we’ve fixed it, and you need to change all your details!”. Good one @SUBWAY
— Mark (@mstevenson83) August 24, 2015
But it's also possible that Subway hasn't been hacked. Maybe they have stumbled across a serious problem with their apps that could potentially be abused by online criminals, and they are taking pre-emptive steps.
Which, all in all, is a good thing. It's just a shame they're not being clearer about what is going on, so minds can be put at rest.
Visiting the app in the iOS App Store, doesn't shed any more light on the matter - as the most recent update is just described as incorporating "minor bug fixes & security improvements", although it does recommend logging out of the app before updating (presumably to ensure that passwords are reset).
Finally, if the app update is a regular security update it certainly sounds as if Subway is keen for you to be extremely careful with your password security online, advising users to change their passwords "across all sites you shop with":
At SUBCARD® your online safety is our priority, so we'd also encourage you to take the opportunity to change your details across all sites you shop with, especially for those where you hold the same password details across multiple sites.
Again, that kind of message doesn't inspire confidence that a data breach hasn't happened.
Apparently the current (one assumes flawed) version of the app will not work after September 25th.
You can read more on this page on the Subway website.
The webpage, by the way, is called security.html...
My recommendation? Update the app now, or change your lunch plans.