Npower shuts down app after hackers steal user data

Cyber criminals obtained partial financial data following successful credential stuffing attacks

The Npower website as seen from a web browser

Npower has scrapped its mobile app after learning that hackers obtained customer login details to access their accounts and steal sensitive information.

The UK energy giant claims that hackers infiltrated customer accounts by credential stuffing, according to MoneySavingExpert.com, which involved using their login details from other websites to breach their Npower accounts.

The company has confirmed that hackers may have accessed personal information such as contact details and their date of birth, as well as partial financial information. This category includes sort codes and the last four digits of their bank account numbers, although not full account numbers. Hackers also accessed their contact preferences.

The energy firm didn’t reveal when the hack took place or how many users were affected, although MoneySavingExpert said it saw an email from the company on 2 February warning customers their accounts had been locked.

Access to the mobile app has also been shut down for all customers, and won’t be restored, given the company was set to phase it out in the near future.

The firm has advised its customers whose accounts were accessed to change their passwords, although they’re not being advised to contact their bank unless they notice any unusual activity on their statements. 

Credential stuffing is a common technique used by cyber criminals to access personal data either from consumers or corporations. It stems from poor password hygiene, and specifically the reuse of weak passwords across several platforms and services.

Digital privacy expert with ProPrivacy, Ray Walsh, branded this a “huge lapse of security” which has put consumers at “substantial risk”. It’ll now be down to the Information Commissioner’s Office (ICO), he added, to investigate the incident and determine whether it warrants a data protection fine.

“Energy customers who have used the Npower app should immediately check their bank statements for unusual activity, as the breach included sort codes and the last four digits of customer bank accounts numbers leaving them wide open to fraud,”  Walsh continued.

Related Resource

Employees behaving badly?

Why awareness training matters

Why awareness training matters - whitepaper from MimecastDownload now

“The probability that consumers will also now receive phishing emails is high, so it is essential that consumers watch their inboxes carefully for any emails that coerce them into following links or ask for personal information.”

Recent research from F5 shows that credential spill incidents nearly doubled between 2016 and 2020, giving hackers more opportunities to attempt to harness leaked user data to infiltrate their private accounts across various web-based services.

Google also uncovered in 2019 that 1.5% of all login attempts across the internet use compromised passwords obtained from leaks and data breaches. Despite being regularly notified that their details have been leaked to hackers, a large proportion of people are unlikely to change their passwords or deactivate their accounts.

“We’ve contacted all affected customers to make them aware of the issue, encouraging them to change their passwords and advice on how to prevent unauthorised access to their online account," a company spokesperson told IT Pro.

“We immediately locked any online accounts that were potentially affected, blocked suspicious IP addresses and took down the npower app. We also notified the Information Commissioner’s Office (ICO) and Action Fraud.

“Protecting customers’ security and data is our top priority and our robust defences helped us to identify this recent attack. It’s important we all continue to stay secure online and urge customers to avoid reusing the same password across multiple websites.”

Featured Resources

The ultimate guide to business connectivity in field services

A roadmap to increased workplace efficiency

Free download

The definitive guide to migrating to the cloud

Migrate apps to the public cloud with multi-cloud infrastructure solutions

Free download

Transform your network with advanced load balancing from VMware

How to modernise load balancing to enable digital transformation

Free download

How to secure workloads in hybrid clouds

Cloud workload protection

Free download

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

17 Sep 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

17 Sep 2021