Thousands of Oyster users witness cyberattack for the online service

Transport for London’s (TfL) was forced to temporarily suspend the website for its Oyster system after a credential stuffing attack  that accessed 1,200 accounts maliciously.

TFL’s online Oyster travel smartcard system was this week accessed by online larcenists who used stolen customer login credentials from other websites.

The transport authority has said that the cyber intrusions on passengers who have used email address and password combinations for their Oyster accounts were a result of them using the same login details for one or more hacked websites.

“We believe that a small number of customers have had their Oyster online account accessed after their login credentials were compromised when using non-TfL websites,” a TFL spokesperson said adding that that the passwords were not leaked by TfL or its services. Instead, they had been stolen from another website and then were used to login to the Oyster service.

“No customer payment details have been accessed, but as a precautionary measure and to protect our customers’ data, we have temporarily suspended online contactless and Oyster accounts while we put additional security measures in place. We will contact those customers who we have identified as being affected and we encourage all customers not to use the same password for multiple sites,” the spokesperson said.

The BBC reported that TfL said it would be contacting customers whose accounts were affected and had taken the issue to the National Cyber Security Centre and British Transport Police.

A number of customers took to Twitter to report the problem with their online Oyster accounts. TfL replied: “Oyster online is currently unavailable whilst we investigate performance issues impacting users.”

Hi Alessandra, Oyster online is currently unavailable whilst we investigate performance issues impacting users. We hope to have service restored later this evening but I can’t specify a time, it might be best to log in again tomorrow. Sorry about the inconvenience caused, Tariq

— Transport for London (@TfL) August 7, 2019

It said the online system should be up and running by August 9.

(2/2) Web accounts are likely to remain unavailable for the rest of the evening but should be back online tomorrow morning. Thanks, Tariq

— Transport for London (@TfL) August 8, 2019

In advice to travellers, TfL said customers can still update their Oyster cards using its app and at ticket machines in stations. TfL also has an online guide for customers should they face any cyberattack.

Credential stuffing exploits huge volumes of stolen passwords on the dark web and affects users who tend to reuse the same logins across multiple sites. Attacks are estimated to cost EMEA firms as much as $4m annually.

Source link