Npower has permanently shuttered its mobile app after a February cyberattack exposed some customers’ personal and financial information.
The energy supplier said hackers used login details stolen from other websites to access customer accounts—a practice known as “credential stuffing”—to access customers’ contact details, birthdates, addresses, sort codes and the last four digits of their bank accounts. Cybersecurity experts said the theft of these details left Npower customers at risk of fraud.
Npower declined to say how many customers had been impacted by the attack but said it had notified them and encouraged them to take security precautions.
“We’ve contacted all affected customers to make them aware of the issue, encouraging them to get advice on how to prevent unauthorised access to their online account. We immediately locked any online accounts that were potentially affected. We also notified the Information Commissioner’s Office and Action Fraud. Protecting customers’ security and data is our top priority,” a spokesperson for the supplier said.
Customers should also change the passwords on other sites if they’re the same as the one they used for Npower.
Action Fraud said customers should monitor their bank accounts for suspicious activity and watch out for phishing emails.
Npower owner E.ON has since closed the Npower mobile app, which it said was already part of its plans to wind down the brand. Customers can still log in to their accounts using Npower’s website.
E.ON purchased its Big Six rival in September 2019 and is near the end of a two-year process to migrate its 3.5 million accounts.
E.ON’s own app, which lets customers access their accounts and record their meter readings, went down at the end of January for two weeks—an outage the supplier says is unrelated to the Npower hack.
Meanwhile, Npower and E.ON were among 18 energy suppliers forced to refund customers after breaching switching rules. Ofgem said suppliers across the market hadn’t properly protected customers’ tariff prices after they requested to switch to a new supplier or tariff. 1 million households are in line for an average refund and goodwill payment of £10.40 as a result of the failings.
