TfL Asking Oyster Account Holders to Reset Their Passwords

• All Oyster account holders will have to reset their passwords to regain access.
• This is a precautionary measure to prevent stuffing attacks from having a successful outcome in the future.
• Previously, 1200 account holders were compromised after their passwords were stolen from elsewhere.

TfL (Transport for London) is forcing Oyster cardholders to reset their passwords in order to be able to access their accounts again. Oyster is a popular travel card that can help locals and tourists travel around the English capital using public transportation (bus, tram, train, or river bus services). In general, it saves people time as it supports contactless payments, and it is a great value as it’s way cheaper than buying single tickets every time you need them.

TfL actually discovered the breach back in August, after credential theft attacks elsewhere on the internet resulted in stuffing actors knocking their platform’s door. Back then, the hackers targeted 1200 Oyster card account holders and managed to take control of them momentarily. Months after this incident, TfL decided to ask every account holder to reset their passwords in the context of a precautionary measure, as the stuffing actors could possess more credentials and give it another try in the future. That said, all Oyster and contactless accounts are now locked, and a relevant password reset request must have already reached the holder’s inbox. The CTO of TfL stated the following: “This is a precautionary measure due to earlier reported instances of a very small number of accounts being accessed maliciously using data obtained from non-TfL websites.”

The customers are now required to use at least eight characters, and also a mix of numbers and upper/lower case letters for their new accounts. Using a new and unique passphrase that you haven’t registered anywhere else goes without saying, as the whole point of the reset is to minimize the risk of getting compromised by stuffing attacks again. A good idea would be to pick up a password manager and have it generate a strong password that you won’t have to write down or remember.

Remember, travel-zone and time-limited cards like Oyster are great bargains, but they also constitute a data privacy risk. As there are no alternatives to the Oyster service for London, use it responsibly and create accounts that don’t extend to the entirety of your online presence, but are instead devoted solely to their specific purpose. If that sounds too much for you, revert to paying your tickets right on the bus or train, and enjoy the serenity that comes with this practice.

Are you using Oyster? Have you had your accounts compromised by hackers? Let us know of the details in the comments section down below, or on our socials, on Facebook and Twitter.