Great Western Railway (GWR) has been forced to reset in the region of a million user accounts after revealing that a small percentage have been compromised by attackers.
The UK train company, which runs services from London to Cornwall, said around 1000 GWR.com accounts had been accessed by unauthorized outsiders.
It’s thought the credentials used to access these accounts may have been harvested from another source. The practice of “credential stuffing” — automatically trying breached password and username pairs in an attempt to access other online accounts — is increasingly common and a reason why experts urge the use of unique passwords for each account.
GWR reset all passwords as a precautionary measure but said its own systems had not been hacked.
RSA Security EMEA field CTO, Rashmi Knowles, praised GWR’s transparency and speed in reacting to the incident, but said security could be further enhanced via two-factor authentication on accounts.
“This is why everyone should practice good cyber-hygiene. If you know that one of your accounts has been compromised, and use the same username and password elsewhere, then update your other accounts immediately,” she said.
“More generally, with consumer breaches of this kind on the rise, you should never be using the same passwords for business and personal use. Targeting consumers is often a gateway into their place of work for hackers. By having separate passwords, you can minimize the chances of your employer being affected.”
Mike Viscuso, CTO of Carbon Black, argued that adding extra characters to your password can make it harder to crack.
“While there’s more than just brute-force guessing as a method to stealing passwords, the sentiment remains the same — the more complex a password is, the harder it may be for a hacker to steal and leverage,” he added. “And, beyond creating complex passwords, using a password manager, never reusing old or existing passwords, and using two-factor authentication, are all good tips to ensure better cybersecurity hygiene.”