UK energy firm Npower is asking customers to change their passwords in the wake of an attack that exploited a vulnerability in its smartphone app. The company has also ditched the app and is asking customers to make payments, view bills and enter meter readings via its official website instead.

Npower won’t reveal how many customer accounts were compromised, but says that it has contacted all affected users.

Data that may have been compromised during the attack includes:
  • Personal information such as contact details, date of birth and address.
  • Partial financial information like sort codes and the last four digits of customers’ bank account numbers.
  • Contact preferences for instance customers who have stated they prefer to be contacted by email, text or phone.

The attack was a credential stuffing exploit.
  • Credential stuffing is a cyber-attack method in which attackers use lists of compromised user credentials to breach a system.
  • These credentials usually consist of lists of usernames and/or email addresses and corresponding passwords. They are typically stolen in a data breach at another organisation.
  • The stolen data is often sold on the dark web allowing other attackers to buy it and make use of it.The stolen data is then applied to other online services based on the assumption that many users use the same usernames and passwords across multiple services.
  • Credential stuffing attacks also use bots to automate the attacks and enable the attackers to quickly scale up so the stolen data can be applied to thousands of other accounts in minutes.
Dangers of reusing passwords

Following the attack Npower said some of the personal data may have been used by criminals or could be exploited in the future.

The attack reveals all too clearly the danger of using the same password across different sites and services. 
  • If a data breach exposes passwords on one site, one of the first things a cybercriminal will do is try to use those same login credentials on other websites.
This is why it’s so important to have different passwords for different websites and services. Of course, it’s difficult to remember so many passwords which is where password managers can be useful. They set a strong password for each service and then automatically apply it when you access the site, service or app.

Further anybody who has had their data stolen needs to be aware of unsolicited emails and phone calls.  Cyber criminals will often use the stolen information, such as email addresses and phone numbers, to try and extract further personal and financial information.