When Monzo customers used one of these two features, they'd be asked to enter their account PIN, for authorization purposes, but unbeknowst to them, the PIN would also be logged inside Monzo's internal logs.
Monzo said these logs were encrypted and that only a few employees had access to the data stored inside.
Monzo worked over the weekend to purge logs of customer PINs
The company said it discovered the bug on Friday, August 2, and spent all weekend removing PIN numbers from its internal logs.
The company also published an update for its mobile app on Saturday, August 3, so the apps won't send the account PIN code to Monzo servers anymore.
The company said that all users should update their mobile apps. Users who had their PINs recorded in Monzo's logs received email notifications. Users who didn't receive an email, were not impacted, the bank said. The number of affected users is around 480,000.
Monzo is a so-called "mobile bank" that launched in the UK in 2015, under the name Mondo. It doesn't have any branches and operates solely via its mobile apps.
The company said it passed over the one million users mark in October 2018. On its website, Monzo claims that over 55,000 people open an account every week. In June 2019, the company announced plans to launch in the US.
The "store passwords in cleartext" club
Monzo's mistake isn't an isolated snafu. Bigger names have made the same error in the past two years.