Npower scraps app, and urges customers to change passwords, after data breach

Graham Cluley
@gcluley

Npower scraps app, and urges customers to change passwords after data breach

UK energy firm Npower has scrapped its smartphone app following an attack by hackers that saw some users’ accounts accessed and personal information stolen.

As first reported by MoneySavingExpert, accounts with the energy company were targeted by a credential-stuffing attack.

Credential-stuffing attacks exploit the fact that many people choose passwords that they had previously used elsewhere on the internet.

Sign up to our newsletter
Security news, advice, and tips.

As I say over-and-over again, you should never reuse your passwords. It’s a recipe for disaster. If a data breach exposes passwords on one site, one of the first things a criminal will do is try to use those same login credentials on other websites.

As a consequence of the attack against Npower, data that may have been accessed by criminals includes the following details of some customers:

  • Personal information – eg, contact details, date of birth and address
  • Partial financial info – including sort codes, and the last four digits of customers’ bank account numbers
  • Contact preferences – eg, if customers prefer to be contacted by email, text or phone call

Npower is keeping its lips sealed as to just how many customer accounts were compromised, but says that it has contacted all affected users. It has also informed the Information Commissioner’s Office (ICO).

In the wake of the attack, affected users are being told that they must change their passwords (obviously you should make it a strong, hard-to-crack password that you are not using anywhere else online.)

In addition, Npower has deactivated its smartphone app, and is telling customers to make payments, view bills, and enter meter readings via its official website instead.

Presumably the company has more confidence that its website can repel credential-stuffing attacks than the API used by its now scrapped app.

Npower says it had planned to shut down the app anyway, following the business’s acquisition by Eon in early 2019.

Customers would be wise, as ever, to be suspicious of unsolicited emails and phone calls that may claim to come from Npower – in case cybercriminals attempt to phish for further personal and financial information.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.