British electricity generator and gas supplier ‘Npower’ is scraping its app following a wave of credential stuffing attacks that have compromised a large number of customer information. Reportedly, the hackers used valid credentials stolen from other websites and previous data breaches and then proceeded to test them onto the Npower app, taking over a large larger of customer accounts and accessing the associated data as a result.
The information that has been exposed includes the following:
Npower hasn’t given the number of compromised accounts or when exactly the compromise has happened, but third-party sources claim to have seen internally circulated warnings dating as far back as February 2, 2021. The company has generally not been so open in terms of publicly sharing the details. Still, it has notified the British Information Commissioner’s Office (ICO) as obliged by the law, so an investigation from the authority should be underway.
The smartphone app has been deactivated, and all customers are urged to make payments, access bill details, and enter meter readers manually through the website. Possibly, Npower has evidence that the carried out credential stuffing attacks exploited the app on the API level to try out a large number of combinations without raising alarms. This is obviously a security flaw that needs to be addressed, so it could explain why the app is being immediately scrapped.
If you were using the Npower app until now, go ahead and reset your credentials on online platforms where you may have been using the same passwords. Moreover, remain on high alert for incoming scam messages, both SMS and emails. While the financial details that have been accessed aren’t enough for direct exploitation, it wouldn’t hurt to keep an eye on your bank statements and look for any transactions you don’t recognize.