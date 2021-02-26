Infosecurity Group Websites
Latest
News

Npower Ditches App After Credential Stuffing Attacks

One of the UK’s largest energy firms has been forced to deactivate its mobile app after reports emerged of a coordinated credential stuffing campaign against users.

Npower has informed all of the affected customers, although it’s unclear exactly how many had their accounts hijacked by attackers.

Data that may have been viewed includes personal information like: dates of birth, contact details and addresses, partial financial information including sort codes and the last four digits of bank account numbers and contact preferences, according to MoneySavingExpert.

Although there’s no obvious information for affected customers on the Npower website, they were reportedly contacted about the incident in early February.

“We immediately locked any online accounts that were affected, blocked suspicious IP addresses and deactivated the Npower app,” a statement from the firm noted.

“We’ve also notified the Information Commissioner’s Office and Action Fraud. Protecting customers’ security and data is our top priority.”

The app was set to be canned even before the incident, but the credential stuffing campaign accelerated the process, the report claimed.

Credential stuffing attacks are primarily the fault of customers/end users that reuse passwords across multiple sites. That means if one of those companies is breached, attackers can feed these stolen credentials into automated software, which tries them in large numbers across other websites.

James McQuiggan, security awareness advocate at KnowBe4, explained that consumers could try free monitoring services like HaveIBeenPwned to check if their logins have been previously breached.

“Keeping track of your passwords in a password vault is the first step toward protecting your accounts. The second step is to always change that password when it has been compromised in a data breach,” he said.

“The third step is to have unique and strong passwords for each account you create, reducing the likelihood of a credential stuff attack. Finally, using multi-factor authentication (MFA), wherever provided by the organization, can add that extra layer of protection to an account.”

Related to This Story

What’s Hot on Infosecurity Magazine?

1
News

CrowdStrike Slams Microsoft Over SolarWinds Hack

2
News

One Ransomware Victim Every 10 Seconds in 2020

3
News

Medical Data of 500,000 French Residents Leaked Online

4
News

Scammers Selling Fake #COVID19 Vaccination Cards for Just $20

5
News

Legal Firm Leaks 15,000 Cases Via the Cloud

6
News

Steris Touted as Latest Accellion Hack Victim

1
News

USA Third Most Affected by Stalkerware

2
News

Atos Acquires Two Cybersecurity Companies

3
News

FBI Investigating Michigan School District Hack

4
News

Winners of Inaugural SBRC Cyber Community Awards Announced

5
Opinion

Making this Year Better for Cybersecurity

6
Magazine Feature

Crowdsourced Bug Bounty Programs: Security Gains Versus Potential Losses

1
Webinar

Becoming a Next-Gen CISO: Leading from the Front

2
Webinar

Evolution of Ransomware-as-a-Service and Malware Delivery Mechanisms

3
Webinar

Hybrid Working Has Accelerated Cloud Application Adoption: What About Security?

4
Webinar

2021: The Year Zero Trust Overtakes VPN?

5
Webinar

Security Certification: Gain Competitive Advantage as the Low Risk Option

6
Webinar

Security Mythbusting: Dismantling the Top Five API Myths

1
Online Summit

Infosecurity Magazine Spring Online Summit - EMEA 2021

2
Blog

The Future of Crypto and Casinos

3
Webinar

Becoming a Next-Gen CISO: Leading from the Front

4
Opinion

Answering the Inherent Cyber-Challenges of Teleoperation

5
Online Summit

Infosecurity Magazine Spring Online Summit - North America 2021

6
Blog

Healthcare Carries a Large Target for Ransomware