Safeway rolls back their 2fa login procedure

Speaking of IT roll backs, three weeks ago on April 25, Safeway rolled out a new 2fa login procedure that was unannounced. Before that date, the login screen would show you a login and password box like any other web site. Easy enough. However, for some weird and stupid reason, they decided the new login screen would be:

  1. Enter email
  2. A new screen pops up saying to check your email for a 6 digit code. Enter that in or else you can click on a link to get you to a password box, which you can then enter.

I’ve never seen any website that forced 2FA like that before. You’ve always had to opt in to that 2FA. I get that they want to make their login more secure, but without any prior notice and NO OPTIN OR OPTOUT is crazy. Even stock trading platforms don’t default to 2FA, especially if you’ve logged in previously on the same pc.

Then on May 15th, they rolled back their old login procedure. I’m guessing a lot of old customers called in to complain and they changed it back. Like bro, you’re a grocery store web site. Just make sure your prices match your ad. That’s all we ask.

One thought on “Safeway rolls back their 2fa login procedure

  1. Our Safeway account got “hacked” a few months ago and the thieves cashed out ALL our saved points. They got $100 off their ~$103 grocery bill in California, and we got a few hours of customer service phone calls to get the points back. (we didn’t teleport to California from our home state, and the purchase was surrounded by ones from our home state which helped a lot)

    In hindsight I would have PREFERED to have 2FA even as an option on our Safeway account. It has the potential to lose a lot of your personal information including your home address (for grocery deliveries) and your credit card if you have it saved (for said deliveries, or in-store-pickup).

    The fact that I CAN’T opt-in to 2FA while having that information on my account is terrifying. The only thing protecting my account is a password, and now that someone knows the phone number or email they could just brute-force their way back in..

    Once they’re in the account they could change your home address to a neutral dropoff location (e.g. a warehouse or random address), or for in-store pickup at any store in the country that they want, max out your credit card with whatever Safeway carries that they want to “buy”, to probably resell, and get off scott free. There’s nothing tying it back to the thieves — your account and credit card would appear at the purchase site as if you just teleported across the country.

Leave a Reply

Your email address will not be published. Required fields are marked *