UK energy firm Npower has scrapped its smartphone app following an attack by hackers that saw some users’ accounts accessed and personal information stolen.
As first reported by MoneySavingExpert, accounts with the energy company were targeted by a credential-stuffing attack.
Credential-stuffing attacks exploit the fact that many people choose passwords that they had previously used elsewhere on the internet.
As I say over-and-over again, you should never reuse your passwords. It’s a recipe for disaster. If a data breach exposes passwords on one site, one of the first things a criminal will do is try to use those same login credentials on other websites.
As a consequence of the attack against Npower, data that may have been accessed by criminals includes the following details of some customers:
- Personal information – eg, contact details, date of birth and address
- Partial financial info – including sort codes, and the last four digits of customers’ bank account numbers
- Contact preferences – eg, if customers prefer to be contacted by email, text or phone call
Npower is keeping its lips sealed as to just how many customer accounts were compromised, but says that it has contacted all affected users. It has also informed the Information Commissioner’s Office (ICO).
In the wake of the attack, affected users are being told that they must change their passwords (obviously you should make it a strong, hard-to-crack password that you are not using anywhere else online.)
In addition, Npower has deactivated its smartphone app, and is telling customers to make payments, view bills, and enter meter readings via its official website instead.
Presumably the company has more confidence that its website can repel credential-stuffing attacks than the API used by its now scrapped app.
Npower says it had planned to shut down the app anyway, following the business’s acquisition by Eon in early 2019.
Customers would be wise, as ever, to be suspicious of unsolicited emails and phone calls that may claim to come from Npower – in case cybercriminals attempt to phish for further personal and financial information.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.