Npower, a British electricity generator and supplier of gas and electricity to homes and businesses, has closed down its app after an attack that exposed the financial and personal information of its customers.
How many accounts had been affected by the breach remains unknown, but the company said the affected accounts had been locked.
Npower says the attackers used login credentials obtained from other websites to access customer accounts, a technique used by hackers known as “credential stuffing.”
“We identified suspicious cyber-activity affecting the Npower mobile app, where someone has accessed customer accounts using login data stolen from another website. This is known as ‘credential stuffing’,” the firm said in a statement.
The stolen information may include names, contact details, birth dates, addresses, and partial bank account numbers.
Npower notified all affected customers of the issue and encouraged them to change their passwords and instructed them how to prevent unauthorized access to their accounts.
The company’s app didn’t seem to be affected by the attack they had already planned to shut it down following Npower’s acquisition by Eon. Ngram believes its website fulfils customers’ needs. The app allowed customers to make payments, view bills, and enter meter readings, to do this now, they will use the Npower website.
Information Commissioner’s Office, the UK’s independent data protection regulator, confirmed that they had been informed about the attack. The ICO is now also investigating the hack.
“Npower has made us aware of an incident affecting their app and we are making inquiries,” the ICO told the BBC.
It is not clear when the attack took place, but MoneySavingExpert said it had seen an email sent to customers at the beginning of the month warning that their accounts had been locked.
Action Fraud advised customers to keep an eye out for potential phishing emails and to monitor their bank accounts for suspicious activity.