British energy giant Npower suffered a major data breach recently that involved hackers using stolen passwords to gain access to a large number of customer accounts. The company had to shut down its mobile app altogether to mitigate the breach.
Npower announced that hackers recently carried out large-scale credential-stuffing attacks inside its mobile application to access the personal records of customers like names, dates of birth, and addresses. The hackers also accessed financial records like sort code and last four digits of bank account numbers, and also gained access to information on whether customers preferred to be contacted by email, text, or phone call.
As of now, Npower has declined to state the number of hacked accounts but said that not all customer accounts were affected. It's still not clear when this security incident took place but on 2nd February, MoneySavingExpert.com discovered that Npower sent emails to customers to let them know that their accounts were locked due to third-party access.
"We identified suspicious cyber-activity affecting the Npower mobile app, where someone has accessed customer accounts using login data stolen from another website. This is known as 'credential stuffing'," said a Npower spokesperson.
“We've contacted all affected customers to make them aware of the issue, encouraging them to change their passwords and offering advice on how to prevent unauthorised access to their online account," he added.
The Information Commissioner Office (ICO) has already been informed about this incident. "Npower has made us aware of an incident affecting their app and we are making enquiries," the ICO told BBC.
The company has advised all of its customers, who used the application in the past, to change their passwords and keep a close eye on their bank accounts to detect any fraudulent activity. Also, as the app is permanently shut down, customers will need to now log in via the company website to access the self-serve options.
Credential stuffing is one of the most common attack techniques used by cyber criminals. In 2018, security firm Shape Security revealed its Credential Spill Report that credential stuffing attacks accounted for more than half of all login attempts on websites of online retailers, airline companies, banks, hotels and other firms.
The rise in the number of credential stuffing attacks is fueled by the availability of millions of login credentials of users on hacker forums and on the Dark Web. Many organisations that store and process personal data of thousands to millions of people have suffered massive breaches over the years, thereby giving hackers access to enough information necessary to launch millions of credential stuffing attacks every month.
Credential stuffing attacks also succeed because many people use the same login credentials for different accounts with different online retailers, banks, hotels, and airline companies. So if a user's login credentials for a particular website is breached, the same credentials can be used by criminals to hack into his other accounts as well.
Commenting on the security breach, James McQuiggan, security awareness advocate at KnowBe4, told Teiss, "We all know it's easier to remember one style of password or one password for all of our accounts. However, cybercriminals are fully aware of this and use passwords stolen from other data breaches to access various user accounts. While phishing and other attack vectors involve more analysis and security measures, credential stuffing is something that we as individuals can fix ourselves.
“There are free monitoring services available, like HaveIBeenPwned.com, where you can find out if your email is known to be involved in a previous data breach. Keeping track of your passwords in a password vault is the first step toward protecting your accounts. The second step is to always change that password when it has been compromised in a data breach. The third step is to have unique and strong passwords for each account you create, reducing the likelihood of a credential stuff attack.
“Finally, using multi-factor authentication or MFA, wherever provided by the organization, can add that extra layer of protection to an account. If the password is compromised, it is significantly more difficult for cybercriminals to gain access and expose a user's data. Organizations want to implement a robust security culture to inform users of the importance of unique passwords to reduce the risk of compromised accounts and the potential loss of stolen Personally Identifiable Information," he added.