Npower has confirmed it shut down its customer app following an attack which left customers’ details exposed to cyber criminals.
The attack was first reported by MoneySavingExpert.com which said it saw an email from the firm dated 2 February warning customers their accounts had been locked following third-party access.
A spokesperson has confirmed the supplier had identified suspicious cyber activity affecting its mobile app, where someone accessed customer accounts using login data stolen from another website, a process known as ‘credential stuffing’.
During the breach, personal data and contact preferences were accessed. For some accounts, the sort code and the last four digits of their bank account number, but not the full number, was accessed.
The incident has been reported to the Information Commissioner’s Office (ICO) and Npower said it cannot disclose the number of people affected or exactly when the breach occurred.
All affected customers have been contacted and made aware and have been encouraged to change their passwords and given advice on how to prevent unauthorised access to their online account.
The spokesperson added: “We immediately locked any online accounts that were potentially affected, blocked suspicious IP addresses and took down the Npower app. We also notified the Information Commissioner’s Office and Action Fraud.
“As part of Npower’s existing wind-down plans, the mobile app was already due to be taken down. As part of this plan, we have contacted all active app users to let them know that they can continue to self-serve on npower.com.
“Protecting customers’ security and data is our top priority and our robust defences helped us to identify this recent attack. It’s important we all continue to stay secure online and urge customers to avoid reusing the same password across multiple websites.”
A spokesperson for the ICO said: “Npower has made us aware of an incident affecting their app and we are making enquiries.”
Eon, which now owns Npower, was itself the victim of a similar attack last month and was forced to close down its app because login details were stolen from a third party.
Late last year, just under 400,000 current and former customers of People’s Energy had their personal details accessed by hackers.
The Edinburgh-based disruptor brand was targeted by cyber criminals who also managed to access the financial details of 15 small business customers. No domestic customers had their financial details exposed.