UK energy firm Npower has scrapped its smartphone app following an attack by hackers that saw some users’ accounts accessed and personal information stolen.
As first reported by MoneySavingExpert, accounts with the energy company were targeted by a credential-stuffing attack.
Credential-stuffing attacks exploit the fact that many people choose passwords that they had previously used elsewhere on the internet.
Sign up to our newsletterSecurity news, advice, and tips.
As I say over-and-over again, you should never reuse your passwords. It’s a recipe for disaster. If a data breach exposes passwords on one site, one of the first things a criminal will do is try to use those same login credentials on other websites.
As a consequence of the attack against Npower, data that may have been accessed by criminals includes the following details of some customers:
Personal information – eg, contact details, date of birth and address
Partial financial info – including sort codes, and the last four digits of customers’ bank account numbers
Contact preferences – eg, if customers prefer to be contacted by email, text or phone call
Npower is keeping its lips sealed as to just how many customer accounts were compromised, but says that it has contacted all affected users. It has also informed the Information Commissioner’s Office (ICO).
In the wake of the attack, affected users are being told that they must change their passwords (obviously you should make it a strong, hard-to-crack password that you are not using anywhere else online.)
In addition, Npower has deactivated its smartphone app, and is telling ..