Npower ditches smartphone app after hack
Npower told MoneySavingExpert.com that customer accounts were accessed using login data obtained from other websites – a technique known as ‘credential stuffing’.
It hasn’t said how many accounts were accessed but admitted the data that may have been viewed could include a customer’s address, date of birth, bank sort code and the last four digits of their account number (but not full account number) and contact preferences.
The hack is being investigated by the Information Commissioner’s Office (ICO). Npower says it has closed down its app in the wake of the attack and does not intend to relaunch it as it was due to close in the coming weeks anyway.
Npower customers can view their accounts, see their bills and enter meter readings, on the Npower website.
Helen Knapman, assistant news and investigations editor at MoneySavingExpert.com, said: “More and more we’re seeing crooks turn online for the chance to get their hands on your hard-earned cash, whether directly or by stealing personal details which could help them carry out scams – and it appears this is what’s happened in this Npower data breach.
“Anyone, regardless of whether their account has been compromised, should always use different passwords for all of their online accounts – if you struggle to remember them, you can store them in a password manager. If you’re concerned your data may have been accessed, monitor your bank account and also keep an eye on your credit report to see if someone is making false applications for credit in your name.”
What should Npower customers do?
If you use the Npower app and are worried your details have been stolen you should change your passwords, especially if you use the same password for different accounts.
You should also watch out for phishing emails or texts. Be suspicious of unsolicited requests for your personal or financial details.
Keep a close eye on your bank account – check your statement for transactions you don’t recognise and report any unauthorised transactions to your bank immediately.
If you think you’ve been a victim of fraud, report it to Action Fraud online at actionfraud.police.uk or by calling 0300 123 2040.
A Npower spokesperson said: “We’ve contacted all affected customers to make them aware of the issue, encouraging them to change their passwords and advice on how to prevent unauthorised access to their online account.
“We immediately locked any online accounts that were potentially affected, blocked suspicious IP addresses and took down the Npower app. We also notified the Information Commissioner’s Office and Action Fraud.
“As part of Npower’s existing wind-down plans, the mobile app was already due to be taken down. As part of this plan, we have contacted all active app users to let them know that they can continue to self-serve on Npower.com.
“Protecting customers’ security and data is our top priority and our robust defences helped us to identify this recent attack. It’s important we all continue to stay secure online and urge customers to avoid reusing the same password across multiple websites.”