Npower customers targeted by Credential Stuffing Attack

ByCraig Haley

If you’re an Npower customer, there is a chance your account was accessed by cyber crooks recently and some of your personal information and partial banking information was exposed.

It could be easy to point the finger of blame at Npower at this point, and assume the breach happened because of lax security on their behalf. But you would be wrong.

That’s because, from all accounts, the attack was a credential stuffing attack. That means that instead of the crooks targeting Npower’s servers or apps in order to breach their security, the crooks have used information previously stolen from other websites, such as usernames and passwords, and simply plugged them into the Npower mobile app to see if any of you are reusing the same username and password combinations across multiple sites.

And unsurprisingly, a lot of people are.

So, for example, let’s say a year ago, a hypothetical company you had an account with got breached, resulting in hundreds of thousands of usernames and passwords getting leaked and shared online, including yours.

The hypothetical company duly lets you know, and forces you to change your password, which you do. And now you’re happy that you and your new password are all good again.

But wait. That first password you used with the hypothetical company, that same password that got leaked… you also used it on your Npower account. And now crooks have gone to the Npower app and typed in your email address and that leaked password and voila. They’re in, and now they’re snooping on your personal information!


Sponsored Content. Continued below...




That is, by and large, a credential stuffing attack.

How do I know if I was infected?

If you’re an Npower customer, the energy company would have reached out to you by now to tell you if you were affected and to change your password.

I was affected. What now?

First of all, stop reusing the same passwords across multiple accounts. It makes you a prime target for credential stuffing attacks. That’s because if one domino falls, they all fall!

Secondly, it means that crooks can be in possession of your personal information. This can include your name, address and date of birth and the last four digits of your bank account number.


Sponsored Content. Continued below...




This may not be enough to access your bank account, but it is certainly enough for crooks to launch some pretty convincing targeted email phishing attacks against you, something we call spear-phishing. Generic mass phishing email scams can usually be spotted because they lack any personal information concerning the recipient (since the same email scam is mass mailed to thousands of recipients.) But with spear-phishing, crooks specifically tailor a scam to you and include your personal information to make the email appear more convincing, and increasing the chances you’ll click a link leading to a spoof webpage and part with even more sensitive information!

So be especially cautious of emails landing in your inbox asking you to click links, even if those emails do contain your personal information!

Beyond that, be vigilant and watch out for any suspicious activity on your bank accounts, just to be safe.

And remember, the more you know about how phishing scams work and how credential stuffing attacks work, the higher the chance you’ll be able to spot the scam before it’s too late! So read up – here’s our article on phishing attacks and you can read more about credential stuffing attacks here.

Keep up-to-date with all the latest cybersecurity threats and our tips to stay safe online. Follow us on Facebook, Instagram and Twitter.

Continued below...


Thanks for reading! But before you go… as part of our latest series of articles on how to earn a little extra cash using the Internet (without getting scammed) we have been looking into how you can earn gift vouchers (like Amazon vouchers) using reward-per-action websites such as SwagBucks. If you are interested we even have our own sign-up code to get you started. Want to learn more? We discuss it here. (Or you can just sign-up here and use code Nonsense70SB when registering.)

Become a Facebook Supporter. For 0.99p (~$1.30) a month you can become a Facebook fan, meaning you get an optional Supporter Badge when you comment on our Facebook posts, as well as discounts on our merchandise. You can subscribe here (cancel anytime.)