Npower scraps app, and urges customers to change passwords, after data breach

Graham Cluley
Graham Cluley
@

 @grahamcluley.com
 @[email protected]

Npower scraps app, and urges customers to change passwords after data breach

UK energy firm Npower has scrapped its smartphone app following an attack by hackers that saw some users’ accounts accessed and personal information stolen.

As first reported by MoneySavingExpert, accounts with the energy company were targeted by a credential-stuffing attack.

Credential-stuffing attacks exploit the fact that many people choose passwords that they had previously used elsewhere on the internet.

Sign up to our free newsletter.
Security news, advice, and tips.

As I say over-and-over again, you should never reuse your passwords. It’s a recipe for disaster. If a data breach exposes passwords on one site, one of the first things a criminal will do is try to use those same login credentials on other websites.

As a consequence of the attack against Npower, data that may have been accessed by criminals includes the following details of some customers:

  • Personal information – eg, contact details, date of birth and address
  • Partial financial info – including sort codes, and the last four digits of customers’ bank account numbers
  • Contact preferences – eg, if customers prefer to be contacted by email, text or phone call

Npower is keeping its lips sealed as to just how many customer accounts were compromised, but says that it has contacted all affected users. It has also informed the Information Commissioner’s Office (ICO).

In the wake of the attack, affected users are being told that they must change their passwords (obviously you should make it a strong, hard-to-crack password that you are not using anywhere else online.)

In addition, Npower has deactivated its smartphone app, and is telling customers to make payments, view bills, and enter meter readings via its official website instead.

Presumably the company has more confidence that its website can repel credential-stuffing attacks than the API used by its now scrapped app.

Npower says it had planned to shut down the app anyway, following the business’s acquisition by Eon in early 2019.

Customers would be wise, as ever, to be suspicious of unsolicited emails and phone calls that may claim to come from Npower – in case cybercriminals attempt to phish for further personal and financial information.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.