Npower Ditches App After Credential Stuffing Attacks

One of the UK’s largest energy firms has been forced to deactivate its mobile app after reports emerged of a coordinated credential stuffing campaign against users.

Npower has informed all of the affected customers, although it’s unclear exactly how many had their accounts hijacked by attackers.

Data that may have been viewed includes personal information like: dates of birth, contact details and addresses, partial financial information including sort codes and the last four digits of bank account numbers and contact preferences, according to MoneySavingExpert.

Although there’s no obvious information for affected customers on the Npower website, they were reportedly contacted about the incident in early February.

“We immediately locked any online accounts that were affected, blocked suspicious IP addresses and deactivated the Npower app,” a statement from the firm noted.

“We’ve also notified the Information Commissioner’s Office and Action Fraud. Protecting customers’ security and data is our top priority.”

The app was set to be canned even before the incident, but the credential stuffing campaign accelerated the process, the report claimed.

Credential stuffing attacks are primarily the fault of customers/end users that reuse passwords across multiple sites. That means if one of those companies is breached, attackers can feed these stolen credentials into automated software, which tries them in large numbers across other websites.

James McQuiggan, security awareness advocate at KnowBe4, explained that consumers could try free monitoring services like HaveIBeenPwned to check if their logins have been previously breached.

“Keeping track of your passwords in a password vault is the first step toward protecting your accounts. The second step is to always change that password when it has been compromised in a data breach,” he said.

“The third step is to have unique and strong passwords for each account you create, reducing the likelihood of a credential stuff attack. Finally, using multi-factor authentication (MFA), wherever provided by the organization, can add that extra layer of protection to an account.”

What’s Hot on Infosecurity Magazine?