diff --git a/app/code/Magento/Customer/Controller/Account/LoginPost.php b/app/code/Magento/Customer/Controller/Account/LoginPost.php
index b1b3a8b020c9a..df2b3be78ef50 100644
--- a/app/code/Magento/Customer/Controller/Account/LoginPost.php
+++ b/app/code/Magento/Customer/Controller/Account/LoginPost.php
@@ -86,8 +86,7 @@ public function executeInternal()
} catch (EmailNotConfirmedException $e) {
$value = $this->customerUrl->getEmailConfirmationUrl($login['username']);
$message = __(
- 'This account is not confirmed.' .
- ' Click here to resend confirmation email.',
+ 'This account is not confirmed. Click here to resend confirmation email.',
$value
);
$this->messageManager->addError($message);
@@ -97,7 +96,10 @@ public function executeInternal()
$this->messageManager->addError($message);
$this->session->setUsername($login['username']);
} catch (\Exception $e) {
- $this->messageManager->addError(__('Invalid login or password.'));
+ // PA DSS violation: throwing or logging an exception here can disclose customer password
+ $this->messageManager->addError(
+ __('An unspecified error occurred. Please contact us for assistance.')
+ );
}
} else {
$this->messageManager->addError(__('A login and a password are required.'));
diff --git a/app/code/Magento/Customer/Test/Unit/Controller/Account/LoginPostTest.php b/app/code/Magento/Customer/Test/Unit/Controller/Account/LoginPostTest.php
index ca9a975b7cd61..9a71d5b897f90 100644
--- a/app/code/Magento/Customer/Test/Unit/Controller/Account/LoginPostTest.php
+++ b/app/code/Magento/Customer/Test/Unit/Controller/Account/LoginPostTest.php
@@ -423,7 +423,7 @@ protected function mockExceptions($exception, $username)
case '\Exception':
$this->messageManager->expects($this->once())
->method('addError')
- ->with(__('Invalid login or password.'))
+ ->with(__('An unspecified error occurred. Please contact us for assistance.'))
->willReturnSelf();
break;
}