Npower shuts down its mobile app after ‘credential stuffing’ hack


Npower has today scrapped its mobile app amid fears hackers may have gained access to customers’ personal data – including bank details.

Bosses behind energy giant, a ‘Big Six’ firm, are warning customers to check their bank statements for unusual activity following the breach.

It is thought hackers have gained access to contact details, addresses and partial financial details such as sort codes.

Hackers are said to have used stolen details from other websites to gain access to customers’ accounts on the Npower app.

Npower deactivated its app after the hack, but has now decided to scrap it completely, according to MoneySavingExpert.

Customers are being warned to change any other accounts they might have with the same user name and password. 

Digital privacy expert Ray Walsh said the incident was a ‘huge lapse of security’ from Npower.

Bosses behind energy giant, a ‘Big Six’ energy firm, are warning customers to check their bank statements for unusual activity following the breach.

Mr Walsh, an expert for ProPrivacy, said: ‘This has put consumers at substantial risk, and it will now be down to the Information Commissioner’s Office to investigate to figure out whether they deserve a fine.’

Credential Stuffing: How hackers broke in 

Credential stuffing is a type of cyber attack where stolen login details – such as user names and passwords – are used to gain access to other accounts.

The data is typically stolen through data breaches on other websites, and relies on customers using the same login and password details for multiple accounts.

A 2019 survey by Google found 51 per cent of internet users admitted that they use one particular ‘favourite’ password for the majority of their accounts.   

In a credential stuffing hack, computer software is used to input thousands or even millions of stolen logins in the hope that a fraction will have an account on that website or app.

Once in, hackers will then extract more details which they can use themselves or sell on to other hackers. 

MailOnline has contacted Npower for a comment and is awaiting a response.

According to MoneySavingExpert, Npower says customer accounts were accessed using login data obtained from other websites in a type of attack known as ‘credential stuffing’.

It is a common technique used by hackers, who take stolen login data from one website and use it on another.

For instance, if someone’s login email address and password has been stolen from another website, hackers can then attempt to use it on other websites.

If a person uses the same user name and password details across multiple websites, the details can be used to access all of those accounts. 

Though internet users are warned to have a variety of passwords, a 2019 survey by Google found 51 per cent of internet users admitted that they use one particular ‘favourite’ password for the majority of their accounts.

According to MoneySavingExpert, personal information including contact details, date of birth and address may have been viewed on the Npower app during the hack.

Partial financial info, including sort codes and the last four digits of customers’ bank account numbers, may have also been accessed.

Npower have not revealed exactly when the hack took place and how many customers have been affected, according to MoneySavingExpert.  

However, it is understood Npower has advised all customers whose accounts were accessed to change their passwords as a general precaution. 

While Npower’s app has been scrapped, customers can still access their accounts through its website. 

Meanwhile, Mr Walsh has warned that customers could be hit with a flurry of phishing emails following the hack.

He added: ‘Hackers now have access to all the user credentials and passwords from the Npower app, which means that consumers must change any additional accounts they might have with the same password. 

According to MoneySavingExpert, Npower says customer accounts were accessed using login data obtained from other websites in a type of attack known as 'credential stuffing'. Pictured: The Npower website remains up, though the online app has now been taken down

According to MoneySavingExpert, Npower says customer accounts were accessed using login data obtained from other websites in a type of attack known as ‘credential stuffing’. Pictured: The Npower website remains up, though the online app has now been taken down

‘Otherwise, anyone that has reused the same password from the Npower app on another service could end up with that account also hacked.  

‘The probability that consumers will also now receive phishing emails is high, so it is essential that consumers watch their inboxes carefully for any emails that coerce them into following links or ask for personal information.’

Meanwhile, Helen Knapman, assistant editor – news and investigations – at MoneySavingExpert.com said: ‘More and more we’re seeing crooks turn online for the chance to get their hands on your hard-earned cash, whether directly or by stealing personal details which could help them carry out scams.

‘It appears this is what’s happened in this Npower data breach.’

Read more at DailyMail.co.uk