- ITDM 2025 전망 | “불경기 시대 속 콘텐츠 산업··· 기술이 돌파구를 마련하다” CJ ENM 조성철 엔터부문 CIO
- 50억 달러 피해에서 700명 해고까지··· 2024년 주요 IT 재난 8선
- Network problems delay flights at two oneworld Alliance airlines
- Leveraging Avaya Experience Platform to accelerate your digital banking transformation
- The best iRobot vacuums of 2024: Expert tested and reviewed
Npower Ditches App After Credential Stuffing Attacks
One of the UK’s largest energy firms has been forced to deactivate its mobile app after reports emerged of a coordinated credential stuffing campaign against users.
Npower has informed all of the affected customers, although it’s unclear exactly how many had their accounts hijacked by attackers.
Data that may have been viewed includes personal information like: dates of birth, contact details and addresses, partial financial information including sort codes and the last four digits of bank account numbers and contact preferences, according to MoneySavingExpert.
Although there’s no obvious information for affected customers on the Npower website, they were reportedly contacted about the incident in early February.
“We immediately locked any online accounts that were affected, blocked suspicious IP addresses and deactivated the Npower app,” a statement from the firm noted.
“We’ve also notified the Information Commissioner’s Office and Action Fraud. Protecting customers’ security and data is our top priority.”
The app was set to be canned even before the incident, but the credential stuffing campaign accelerated the process, the report claimed.
Credential stuffing attacks are primarily the fault of customers/end users that reuse passwords across multiple sites. That means if one of those companies is breached, attackers can feed these stolen credentials into automated software, which tries them in large numbers across other websites.
James McQuiggan, security awareness advocate at KnowBe4, explained that consumers could try free monitoring services like HaveIBeenPwned to check if their logins have been previously breached.
“Keeping track of your passwords in a password vault is the first step toward protecting your accounts. The second step is to always change that password when it has been compromised in a data breach,” he said.
“The third step is to have unique and strong passwords for each account you create, reducing the likelihood of a credential stuff attack. Finally, using multi-factor authentication (MFA), wherever provided by the organization, can add that extra layer of protection to an account.”