Npower app shut down after security breach

The contact details, birthdays, addresses and partial bank account numbers of customers were among the details believed to have been stolen.

All affected customers have been notified by Npower and have been encouraged to change their account passwords.

Npower have now shut down their app ahead of their planned date for winding down the business due to their acquisition by Eon.

Credit: chrisdorney/Shutterstock.com

Security attack

Npower has declined to state how many accounts were compromised by the breach or what information was stolen during the attack.

They say they identified suspicious activity on their mobile app where customer accounts had been access using login data stolen from another website in a process called "credential stuffing".

Consequently, the affected accounts had been locked and customers had been contacted to make them aware of the security issue. They were also advised to change their passwords and given advice on protecting their online account.

Npower has informed the Information Commissioner's Office (ICO) of the breach, along with Action Fraud. The ICO are making inquiries into the incident.

What is credential stuffing?

Credential stuffing uses data from another breach to try and force another one, by automatically entering leaked credentials into websites until they are matched to existing accounts.

So, in this case, affected Npower customers would have found themselves at the centre of another breach, with their login details for another site used to try and break through onto various other websites including Npower's.

The matching process is run through automated systems, and it's estimated they strike lucky between 0.1% and 0.2% of the time. While this doesn't sound like a lot, given the millions of login attempts they try, it's quite a significant number of successful attempts.

Once an attacker has access to a customer's account in this type of security breach, they will take any stored value on the account and steal credit card numbers and other types of personal information stored on there.

This can then be used in future scams, meaning customers can be targeted multiple times by the same security breach.

We've just updated our guide on keeping your personal details safe online. Read more here.

App shuttered

The breach prompted Npower to shut down their mobile app, meaning customers can no longer manage their Npower account in this way.

As part of Npower's acquisition by Eon, the app was in the process of being shuttered anyway, but the breach led to them closing it early.

All Npower customers are gradually being moved over to Eon Next, a subsidiary of their new parent company. All customers will be notified ahead of the change, although it's significant in relation to this breach that every customer will receive a new online account anyway.

The Npower brand was part of a complicated asset swap between RWE and Eon back in 2019 following the collapse of a proposed merger between Npower and SSE, although it's only recently that efforts to remove the Npower brand from the UK market have begun in earnest.

Customers who don't want to transfer over to Eon Next may want to compare cheap energy deals and search for a new supplier. Be aware exit fees may apply depending on where a customer is in their fixed term contract.

Eon suffered their own embarrassing tech failure just before Christmas when they took payment from around 1.5 million customers up to two weeks earlier than they should have.

Standard variable tariff (SVT) customers of both Npower and Eon were recently informed their energy prices would be rising to the maximum allowed under the energy price cap.