Major UK energy supplier, Npower, has had to scrap its app after cybercriminals stole sensitive customer information, including financial data. Having first been reported by MoneySavingExpert.com, Npower has stated customer information was exploited after login details were taken from other websites.
This common cyberattack tactic – known as credential stuffing – allowed the hackers to gain access to customer accounts. Npower had confirmed that not all accounts were accessed and that the customers that were have since been contacted about the breach and had their accounts locked.
It is still unclear how the breach occurred, but the hackers were able to view personal information, partial financial information, and contact preferences. The Information Commissioners Office (ICO) has been notified in accordance with GDPR and an investigation is underway.
The Npower app will remain shut down (which was planned to happen after the acquisition by Eon) with the company ensuring that a similar attack will be avoided. It has also informed that all customers must continue to use the website services as normal.
Further advice provided by Npower requires all users to change their passwords on all other accounts and to ensure that the same password is not being used on the same accounts. Users should also be on alert for any potentially fraudulent or suspicious activity with their bank accounts.
If you think you’ve been a victim of fraud, report it to Action Fraud online at actionfraud.police.uk or by calling 0300 123 2040.
Providing further insight and advice are the following cybersecurity experts:
James McQuiggan, security awareness advocate at KnowBe4:
“We all know it’s easier to remember one style of password or one password for all of our accounts. However, cybercriminals are fully aware of this and use passwords stolen from other data breaches to access various user accounts. While phishing and other attack vectors involve more analysis and security measures, credential stuffing is something that we as individuals can fix ourselves.
There are free monitoring services available, like HaveIBeenPwned.com, where you can find out if your email is known to be involved in a previous data breach. Keeping track of your passwords in a password vault is the first step toward protecting your accounts. The second step is to always change that password when it has been compromised in a data breach. The third step is to have unique and strong passwords for each account you create, reducing the likelihood of a credential stuff attack.
Finally, using multi-factor authentication or MFA, wherever provided by the organization, can add that extra layer of protection to an account. If the password is compromised, it is significantly more difficult for cybercriminals to gain access and expose a user’s data. Organizations want to implement a robust security culture to inform users of the importance of unique passwords to reduce the risk of compromised accounts and the potential loss of stolen Personally Identifiable Information.”
Martin Jartelius, CSO at Outpost24:
“It’s unfortunate this breach has occurred but in terms of security for customers, individuals should always be attentive to their card transactions because fraudulent activity is likely after a significant breach like this.
Furthermore, most people today will have hundreds of online accounts and trying to create a unique, but memorable, password for them all is challenging. Password managers are helpful but two-factor authentication should ideally be something most sites offer today. Additionally, increase your password strength with longer characters (they are harder to crack with 10 plus characters) and use a combination of capitals, numbers, and special characters that don’t spell common words.
While the details are still unclear of how this breach happened, based on our experience, we advise all organisations to test their cybersecurity regularly. It’s a proactive approach that uncovers misconfigurations, bad assumptions, and incompatibilities in both IT and security technology that might expose an entry point for attack. Many successful attacks are made through known, exploitable vulnerabilities that go unpatched while the security staff is chasing the vector of the most recent publicly-reported breach.”
Lewis Jones, Threat Intelligence Analyst, Talion
“This breach is a further example of attackers targeting the energy sector which continues to be attractive target for attackers with a financial, geopolitical and hacktivism motivations. In 2021 already there have been a number of attacks targeting this sector. Those affected should follow the advice provided by Npower in terms of changing passwords etc but users should also review if this password is used on another site. This further demonstrates why good password hygiene is vitally important – Users should always remember – Use strong passwords that are complex and combine uppercase letters, lowercase letters, numbers, and symbols. The best passwords are long (more than 16 characters) and completely random. Never reuse passwords.”
Burak Agca, security engineer at Lookout:
Users should always use unique passwords for every service to thwart credential stuffing attacks and use a password manager to keep track of the large number of necessary passwords. It is also advised to use two-factor authentication whenever possible.
For enterprises its necessary to make two-factor authentication available to all users if this is not done already. Organisations should also limit the amount of personal data available through their public-facing APIs to a minimum – e.g. banking information or date of birth could be made write-only so that the user can enter or even update it but it cannot (or only in a redacted form) be displayed or queried in an app or on their web site. Furthermore, closely monitor systems to detect login patterns that may indicate credential stuffing.