Energy firm Npower has closed down its app following an attack that exposed some customers’ financial and personal information. Contact details, birth dates, addresses, and partial bank account numbers are among the details believed stolen. The firm did not say how many accounts were affected by the breach, which was first reported by MoneySavingExpert.com.
But the affected accounts had been locked, Npower had said.
“We identified suspicious cyber-activity affecting the Npower mobile app, where someone has accessed customer accounts using login data stolen from another website. This is known as ‘credential stuffing’,” the firm said in a statement.
<p>As we saw with this breach, credential stuffing attacks have the ability to cripple businesses’ digital engagement efforts. However if there’s a silver lining here, it’s that this campaign targeted at users in large numbers – it wasn’t particularly sophisticated, which likely made it easier to spot and address quickly. More challenging for businesses are targeted attacks that hijack the accounts of employees in order to move laterally throughout the organization. When malicious actors take over insider accounts, they can more easily hide their activity by blending in with everyday behaviours.<br /><br />Following this attack, consumers should check services like HaveIBeenPwned to see if their logins have been breached and change their passwords across accounts. On the corporate front, the company is likely taking a close look at its internal activity as well to ensure they understand the full scope and vectors of this attack.</p>
<p>A data breach is often only the start of a series of privacy concerns for victims. According to Tenable Research\’s analysis of <a href=\"https://www.tenable.com/cyber-exposure/2020-threat-landscape-retrospective\" data-saferedirecturl=\"https://www.google.com/url?q=https://www.tenable.com/cyber-exposure/2020-threat-landscape-retrospective&source=gmail&ust=1614434649456000&usg=AFQjCNFEKx9OwZwJvRWV5pN2lcqGUim_3g\">730 publicly disclosed data breaches last year</a>, 22 billion records were exposed. That\’s a lot of information that attackers can use to further their malicious activities. The attack against the Npower app is just the most recent example of cybercriminals using previously stolen or leaked consumer data to launch additional attacks.</p> <p> </p> <p>Known as “credential stuffing\", attackers inject large amounts of stolen passwords or IDs against other accounts with the goal that a small number will successfully allow access to the victims\’ accounts. This attack is successful because many consumers use the same credentials for multiple accounts, the equivalent of using the same key for multiple locks.</p> <p> </p> <p>These are not advanced attacks and the risk can be significantly reduced if online users use unique passwords for each account. For businesses, these attacks are also one of the reasons they must act quickly to notify consumers of a data breach so steps can be taken to change passwords or monitor accounts. Actively assessing systems for exploitable vulnerabilities to remediate can close potential data leak sources before a breach occurs. </p> <p><br />However, while the use of multiple passwords would help reduce the risk of credential stuffing attacks, the onus should not just be on consumers. Mature organisations, such as large banks, will actively hunt for databases of stolen credentials to compare against their own database of customers credentials to warn affected customers to change their passwords. Organisations should also look to implement two-factor authentication, adding another layer of protection for consumers when conducting any confidential or financial transactions.</p>
<p>The Npower app breach shows that no matter how prepared a company thinks they are, cybercriminals will always try to get the upper hand by taking advantage of the weak spots you didn’t know you had. Contact details, birth dates, addresses and partial bank account numbers are believed to have been stolen which is worrying at the best of times, but especially during a pandemic where most employees are remote working.</p> <p> </p> <p>The UK has been working from home for almost a year, which means the personal and professional has become more intertwined than ever before – the danger of this is people are likely to be using passwords across personal and business applications as there isn\’t an obvious mental barrier, like going into and leaving an office is. Indeed, one in five UK home workers has received no training on cyber-security which is leading to increasing numbers of data breaches for UK companies, risking not just reputation but also serious financial consequences. Therefore, as well as cybersecurity training for employees, companies need to adopt robust security measures such as scaling SD-WAN. In the new era of remote working, security needs to span on premise and the cloud.</p>
<p>It\’s unfortunate this breach has occurred but in terms of security for customers, individuals should always be attentive to their card transactions because fraudulent activity is likely after a significant breach like this.</p> <p> </p> <p>Furthermore, most people today will have hundreds of online accounts and trying to create a unique, but memorable, password for them all is challenging. Password managers are helpful but two-factor authentication should ideally be something most sites offer today. Additionally, increase your password strength with longer characters (they are harder to crack with 10 plus characters) and use a combination of capitals, numbers, and special characters that don’t spell common words.</p> <p> </p> <p>While the details are still unclear of how this breach happened, based on our experience, we advise all organisations to test their cybersecurity regularly. It’s a proactive approach that uncovers misconfigurations, bad assumptions, and incompatibilities in both IT and security technology that might expose an entry point for attack. Many successful attacks are made through known, exploitable vulnerabilities that go unpatched while the security staff is chasing the vector of the most recent publicly-reported breach.</p>
<p>We all know it\’s easier to remember one style of password or one password for all of our accounts. However, cybercriminals are fully aware of this and use passwords stolen from other data breaches to access various user accounts. While phishing and other attack vectors involve more analysis and security measures, credential stuffing is something that we as individuals can fix ourselves.</p> <p> </p> <p>There are free monitoring services available, like HaveIBeenPwned.com, where you can find out if your email is known to be involved in a previous data breach. Keeping track of your passwords in a password vault is the first step toward protecting your accounts. The second step is to always change that password when it has been compromised in a data breach. The third step is to have unique and strong passwords for each account you create, reducing the likelihood of a credential stuff attack.</p> <p> </p> <p>Finally, using multi-factor authentication or MFA, wherever provided by the organization, can add that extra layer of protection to an account. If the password is compromised, it is significantly more difficult for cybercriminals to gain access and expose a user\’s data. Organizations want to implement a robust security culture to inform users of the importance of unique passwords to reduce the risk of compromised accounts and the potential loss of stolen Personally Identifiable Information.</p>