igor - Fotolia

Npower shuts off app after credential stuffing attack

Npower customers will have to log in to their accounts on its website after its app was withdrawn following a security breach

Energy supplier Npower has closed down and withdrawn its mobile app after a credential stuffing attack saw the accounts and personal data of an undisclosed number of customers accessed by cyber criminals.

An Npower spokesperson told Computer Weekly that the app would not be returning in the future, as it was planned to be withdrawn within the next few weeks anyway as the company is folded into Eon, which acquired it in 2019. Users can, for now, continue to access their account services on npower.com.

According to MoneySavingExpert, which was first to report the incident, the unauthorised access appears to have taken place some time prior to 2 February 2021.

“We identified suspicious cyber activity affecting the Npower mobile app, where someone has accessed customer accounts using login data stolen from another website,” the firm’s spokesperson said in an emailed statement. 

“We’ve contacted all affected customers to make them aware of the issue, encouraging them to change their passwords and advice on how to prevent unauthorised access to their online account.

“We immediately locked any online accounts that were potentially affected, blocked suspicious IP addresses and took down the Npower app. We also notified the Information Commissioner’s Office [ICO] and Action Fraud,” they added.

Npower said protecting the security and data of its customers was a top priority, and robust defences had helped it identify the attack.

Credential stuffing attacks are a relatively simple and therefore common form of cyber attack, and usually involve testing user credentials found in other data breaches, or sold on underground dark web forums, against accounts on other services until a match is found.

Such attacks cannot be blamed on the service owner as they are almost always entirely the fault of lax security hygiene elsewhere, but since they almost always victimise people who have reused usernames and passwords across multiple services, avoiding them is relatively easy if you take the simple step of not doing this in the first place.

A number of password managing services are available for people who feel they may not be able to remember complex, unique passwords across multiple services.

Ray Walsh of ProPrivacy said: “Energy customers who have used the Npower app should immediately check their bank statements for unusual activity, as the breach included sort codes and the last four digits of customer bank accounts numbers, leaving them wide open to fraud.

“Hackers now have access to all the user credentials and passwords from the Npower app, which means that consumers must any additional accounts they might have with the same password.

“Otherwise, anyone that has reused the same password from the Npower app on another service could end up with that account also hacked.

“The probability that consumers will also now receive phishing emails is high, so it is essential that consumers watch their inboxes carefully for any emails that coerce them into following links or ask for personal information,” said Walsh.

Read more about credential stuffing

Read more on Data breach incident management and recovery

Data Center
Data Management