Npower shuts down mobile app following data breach

Npower will not turn its mobile app back on after the attack

UK energy giant Npower has permanently closed its mobile app, after finding that hackers had used it to steal sensitive information from customers.

The company will not bring the app back in the future, as it was due to be withdrawn within the next few weeks following Npower's acquisition by Eon.

Users can continue to access their accounts by logging in on the Npower website.

The Npower data breach was first reported by MoneySavingExpert, which claimed the unauthorised access likely happened prior to 2nd February 2021.

Npower did not say how many accounts were affected, but told the BBC that all affected accounts had been locked.

The company said its IT teams identified suspicious activity affecting the mobile app, and an initial investigation revealed that unidentified cyber actors used a credential stuffing attack to access customer accounts using login data stolen from another website.

The hackers may have been able to view users' personal information, partial financial information and contact preferences.

Npower says it has alerted all affected customers, and advised them to change their passwords as early as possible. Those affected are also being encouraged to change their passwords on other accounts, if they were using same passwords on multiple services.

Npower said there was no risk to users' bank accounts with the limited information that was accessed, and added that it has informed the Information Commisioner's Office about the attack.

Action Fraud, the UK's national fraud reporting service, advised Npower customers to remain cautious for potential phishing emails and to report any suspicious activity to law-enforcement agencies.

This is not the first security breach affecting Npower users.

In September 2018, the personal details of around 5,000 customers spilled in a glitch that saw names, addresses and payment details emailed to the wrong account holders.

Commenting on the latest breach, Adam Palmer, chief cybersecurity strategist at cybersecurity company Tenable, said: "The attack against the Npower app is just the most recent example of cybercriminals using previously stolen or leaked consumer data to launch additional attacks.

"Known as 'credential stuffing', attackers inject large amounts of stolen passwords or IDs against other accounts with the goal that a small number will successfully allow access to the victims' accounts. This attack is successful because many consumers use the same credentials for multiple accounts, the equivalent of using the same key for multiple locks.

"These are not advanced attacks and the risk can be significantly reduced if online users use unique passwords for each account. For businesses, these attacks are also one of the reasons they must act quickly to notify consumers of a data breach so steps can be taken to change passwords or monitor accounts. Actively assessing systems for exploitable vulnerabilities to remediate can close potential data leak sources before a breach occurs."

James Smith, principal security consultant and head of penetration testing at Bridewell Consulting, said:

"This attack on Npower is incredibly serious but unfortunately not surprising. The attack surface area of the UK's energy sector is vast, as more than two-thirds have made their Operational Technology (OT) systems accessible over the internet. In this instance, customers have lost highly sensitive data which was Npower's responsibility to protect. With the rate of attacks increasing as they are, the consequences could become even more severe...

"It's not just the energy sector that is at risk, but the UK's critical national infrastructure as whole - including healthcare, water, aviation and more, and the consequences of these attacks can put public safety at real risk, including a threat to loss of life.'