[BreachExchange] Npower Ditches App After Credential Stuffing Attacks

[Destry Winant]

https://www.infosecurity-magazine.com/news/npower-ditches-app-credential/

One of the UK’s largest energy firms has been forced to deactivate its
mobile app after reports emerged of a coordinated credential stuffing
campaign against users.

Npower has informed all of the affected customers, although it’s
unclear exactly how many had their accounts hijacked by attackers.

Data that may have been viewed includes personal information like:
dates of birth, contact details and addresses, partial financial
information including sort codes and the last four digits of bank
account numbers and contact preferences, according to
MoneySavingExpert.

Although there’s no obvious information for affected customers on the
Npower website, they were reportedly contacted about the incident in
early February.

“We immediately locked any online accounts that were affected, blocked
suspicious IP addresses and deactivated the Npower app,” a statement
from the firm noted.

“We’ve also notified the Information Commissioner’s Office and Action
Fraud. Protecting customers’ security and data is our top priority.”

The app was set to be canned even before the incident, but the
credential stuffing campaign accelerated the process, the report
claimed.

Credential stuffing attacks are primarily the fault of customers/end
users that reuse passwords across multiple sites. That means if one of
those companies is breached, attackers can feed these stolen
credentials into automated software, which tries them in large numbers
across other websites.

James McQuiggan, security awareness advocate at KnowBe4, explained
that consumers could try free monitoring services like HaveIBeenPwned
to check if their logins have been previously breached.

“Keeping track of your passwords in a password vault is the first step
toward protecting your accounts. The second step is to always change
that password when it has been compromised in a data breach,” he said.

“The third step is to have unique and strong passwords for each
account you create, reducing the likelihood of a credential stuff
attack. Finally, using multi-factor authentication (MFA), wherever
provided by the organization, can add that extra layer of protection
to an account.”