The advice has been clear for a number of years now: don’t reuse your passwords across multiple websites. If you do, your accounts are at risk of being compromised.
The latest organisation to suffer from exposed user login credentials being exploited is Transport for London (TfL). The transport group, which oversees the Tube, Overground and bus services across the capital, has shut down the website for its Oyster Card system after finding user accounts being accessed by malicious actors.
Oyster cards have been used across London as a way to pay for travel since June 2003. The Oyster Card website allows people to create Oyster accounts, top up card balances online, buy season tickets and create automatic payment schedules. All these functions are now out of action for the time being.
The website being pulled from use was first reported by The Register. If you visit TfL’s Oyster page at the moment then you’ll be presented with a message saying the system is “temporarily unavailable”.
“We believe that a small number of customers have had their Oyster online account accessed after their login credentials were compromised when using non-TfL websites,” a spokesperson for the travel body said in an emailed statement. They continued to say that no customer payment details have been accessed.
“As a precautionary measure and to protect our customers’ data, we have temporarily suspended online contactless and Oyster accounts while we put additional security measures in place.”
TfL is planning on contacting customers who it has identified as being impacted and has stressed that its own systems have not been breached. TfL says it has identified 1,200 accounts that have been accessed maliciously. It has not said if it has any idea where the attempts are coming from. The payment systems around the London transport network are still in operation.
Users having online accounts compromised from their re-used passwords being available online has been on the rise in 2019. In February, we reported how Deliveroo customers were having their accounts hacked and food ordered to random addresses.
The attack type can use the relatively unsophisticated technique of credential stuffing. This involves hackers obtaining usernames and passwords from data breaches and then testing to see whether they work against a myriad of other online accounts.
The problem comes from people using the same weak passwords for multiple different accounts and credential stuffing is a simple way for hackers to benefit from previous data breaches. In January this year the world’s largest database of compromised email addresses and passwords appeared online in the Collection #1-5 databases. Between them they include 845GB of data, which is a complete treasure trove for hackers looking to exploit online accounts.
During the first six months of this year a number of other companies have suspended user accounts because of credential stuffing attacks. In July, Sky’s UK arm told customers to reset their passwords after suffering from a credential stuffing attack. This week US insurance company State Farm has notified users they need to reset their passwords after credential stuffing attempts.
Security firm Akamai says it has seen a rise in malicious logins across the web as a whole in 2019. During the first four months of the year there were 3.2 billion attempts to illegitimately log into accounts, while in May and June alone there were 8.3bn attempts. “One of the world’s largest financial services companies was experiencing over 8,000 account takeovers per month, which led to more than $100,000 (£82,000) per day in direct fraud-related losses,” Josh Shaul, Akamai’s vice president of Web Security said as the company released its research.
While TfL may be in the early stages of investigating the incident, The Register reported several users have been tweeting its customer service teams complaining that they haven’t been able to access their accounts. The first of these happened on August 7.
In advice to travellers, TfL said customers can still update their Oyster cards using its app and at ticket machines in stations. If any suspicious activity is spotted on accounts then it recommends contacting its customer services team. In the meantime, you should make sure you’re using strong passwords and a password manager to protect your online information.
More great stories from WIRED
🖼️ How to harness Google Photos to your messy pictures
😡 Heatwaves make people more violent, angry and grumpy
🚬 England has an ambitious plan to eradicate smoking by 2030
🕵🏿 It’s time you ditched Chrome for a privacy-first web browser
🎉 A vaccine for Alzheimer’s is on the verge of reality
📧 Get the best tech deals and gadget news in your inbox