Transport for London has confirmed a number of passengers’ Oyster accounts have been hacked, after customers complained of not being able to access the service online.
The transport authority took the precaution of taking the Oyster system offline after 1,200 customer accounts were compromised. Online contactless and Oyster accounts were temporarily suspended to limit the damage.
That’s a small fraction of the six million online Oyster accounts, which facilitate easy travel in the capital on tube, train, bus and tram, but still a concern for those involved.
“As a precautionary measure and to protect our customers’ data, we have temporarily suspended online contactless and Oyster accounts while we put additional security measures in place,” TfL said in a statement.
TfL believes the breach may have been the result of a third-party breach. The affected users may have used the same logins on other websites, causing the hackers to try their luck on the TfL site.
It said: “We will contact those customers who we have identified as being affected and we encourage all customers not to use the same password for multiple sites.”
In a statement to The Register, TfL said no customer payment details had been obtained by the hackers, but it is putting additional security measures in place as a precaution.
While the online service is offline, TfL customers can still use their mobile Oyster app to top up their PAYG accounts, while physical top-ups can be made at ticket machines.
The issues began on Wednesday night with customers unable to access the website after the hackers used credential stuffing tactics in order to gain access to accounts. Yesterday, TfL was telling customers of “performance affecting issues”, but only revealed the hack on Thursday.
The transport authority is advising account holders to contact Transport for London if they notice any strange activity on their accounts. All breaches will be reported to the National Cyber Security Centre and British Transport Police.