- I use this cheap Android tablet more than my iPad Pro - and don't regret it
- Change these 10 iOS settings right now to instantly get better iPhone battery life
- How to clear the cache on your Windows 11 PC (and why you shouldn't wait to do it)
- These Sony headphones deliver premium sound and comfort - without the premium price
- The LG soundbar I prefer for my home theater slaps with immersive audio - and it's not the newest model
Npower Ditches App After Credential Stuffing Attacks
One of the UK’s largest energy firms has been forced to deactivate its mobile app after reports emerged of a coordinated credential stuffing campaign against users.
Npower has informed all of the affected customers, although it’s unclear exactly how many had their accounts hijacked by attackers.
Data that may have been viewed includes personal information like: dates of birth, contact details and addresses, partial financial information including sort codes and the last four digits of bank account numbers and contact preferences, according to MoneySavingExpert.
Although there’s no obvious information for affected customers on the Npower website, they were reportedly contacted about the incident in early February.
“We immediately locked any online accounts that were affected, blocked suspicious IP addresses and deactivated the Npower app,” a statement from the firm noted.
“We’ve also notified the Information Commissioner’s Office and Action Fraud. Protecting customers’ security and data is our top priority.”
The app was set to be canned even before the incident, but the credential stuffing campaign accelerated the process, the report claimed.
Credential stuffing attacks are primarily the fault of customers/end users that reuse passwords across multiple sites. That means if one of those companies is breached, attackers can feed these stolen credentials into automated software, which tries them in large numbers across other websites.
James McQuiggan, security awareness advocate at KnowBe4, explained that consumers could try free monitoring services like HaveIBeenPwned to check if their logins have been previously breached.
“Keeping track of your passwords in a password vault is the first step toward protecting your accounts. The second step is to always change that password when it has been compromised in a data breach,” he said.
“The third step is to have unique and strong passwords for each account you create, reducing the likelihood of a credential stuff attack. Finally, using multi-factor authentication (MFA), wherever provided by the organization, can add that extra layer of protection to an account.”
