Npower Will Not Use the App That Was Exploited by Hackers Anymore

• Npower has had a security incident involving its smartphone app, which is now being deprecated.
• The platform has noticed an uptick in credential stuffing attacks, leading to information access.
• No details like the number of the compromised accounts have been published, but the ICO got all data.

British electricity generator and gas supplier ‘Npower’ is scraping its app following a wave of credential stuffing attacks that have compromised a large number of customer information. Reportedly, the hackers used valid credentials stolen from other websites and previous data breaches and then proceeded to test them onto the Npower app, taking over a large larger of customer accounts and accessing the associated data as a result.

The information that has been exposed includes the following:

• Personal information like contact details, date of birth, and address
• Partial financial info such as sort codes and the last four digits of customers' bank account numbers – though crucially NOT full account numbers
• Contact preferences like whether the customer prefers to be contacted by email, text, or phone call

Npower hasn’t given the number of compromised accounts or when exactly the compromise has happened, but third-party sources claim to have seen internally circulated warnings dating as far back as February 2, 2021. The company has generally not been so open in terms of publicly sharing the details. Still, it has notified the British Information Commissioner’s Office (ICO) as obliged by the law, so an investigation from the authority should be underway.

The smartphone app has been deactivated, and all customers are urged to make payments, access bill details, and enter meter readers manually through the website. Possibly, Npower has evidence that the carried out credential stuffing attacks exploited the app on the API level to try out a large number of combinations without raising alarms. This is obviously a security flaw that needs to be addressed, so it could explain why the app is being immediately scrapped.

If you were using the Npower app until now, go ahead and reset your credentials on online platforms where you may have been using the same passwords. Moreover, remain on high alert for incoming scam messages, both SMS and emails. While the financial details that have been accessed aren’t enough for direct exploitation, it wouldn’t hurt to keep an eye on your bank statements and look for any transactions you don’t recognize.