Personal data stolen
Npower has notified customers of a data breach that affected some users of its app. Contact details, birth dates, addresses and partial bank account numbers are among details believed stolen. The power supplier has now closed down the app completely, although it was scheduled to be withdrawn soon anyway due to the company’s acquisition and merger into Eon.
Npower has not revealed how many customers have been affected, but it has stated that the unauthorised access occurred via "credential stuffing", which is when criminals use login details exposed in unrelated breaches and try their luck with other companies. The hackers would be able to enter any account where somebody was reusing the same password for Npower. This stands as yet another stark example of why it’s vitally important to not reuse passwords.
Npower has notified the Information Commissioner’s Office and also emailed people known to have been affected. If you have been affected, make sure you change your password on other accounts if you’re reusing it elsewhere, and monitor your bank account for suspicious activity.