Following reported instances of a number of accounts being accessed maliciously earlier this year, all Oyster and contactless customers are being required to reset their website account passwords.
TfL says that it’s a purely precautionary measure, and that there’s no reason to think that the earlier attack has been repeated.
The background is that back in August, TfL became aware that a small number of customers had had their Oyster online accounts accessed maliciously, which TfL believes that this occurred when people used the same password on several websites, and one of those other websites was hacked into, letting hacker into their TfL account using the same password.
Fortunately, no customer payment details were accessed and all affected customers were contacted and informed about this at the time.
TfL says that it is working with the British Transport Police to investigate who is behind the earlier attack, with one person already arrested, and the Information Commissioners Office has been notified.
As a precautionary measure, TfL has now decided to ask all customers to reset their passwords via the TfL website, and the reset will be sent to their registered email account.
Using a different password on every website is a pain, but it’s about the only way of preventing a hacked website letting someone log-in to your account on an otherwise secure website. A password manager tool, which generates random passwords for each website you log into is a good way of reducing that risk, and ianVisits makes use of LastPass as a web browser plug-in. Other password managers exist.
Shashi Verma, Chief Technology Officer at Transport for London said: “Protecting our customers’ data is paramount and we want to help our customers to ensure their personal accounts remain safe. As part of this continuing work, we have recently begun making all Oyster and Contactless online account holders reset their passwords when they next sign in.”
Travel using an Oyster or Contactless care wont be affected, only using the website to check customer account details.
Perhaps it’s this ARL issue? https://www.theregister.co.uk/2019/08/27/tfl_oyster_cards_plain_text_password_form/
Nope – it’s this one: https://www.theregister.co.uk/2019/08/08/tfl_oyster_card_outage_online_topup/
I’m going to continue using the same password on unimportant websites, as having tried password managers, they are just to hard to maintain across different devices and browsers. Organisations that force password resets are a PITA, especially if they prevent you re-entering the password you want.
And you’re the type to scream bloody murder when something goes wrong because of your own lack of security — I’ve been using password managers for years. They just sync across all platforms so your excuse is at best ignorance. If you don’t know how to use them, ask someone, read up on the internet, or pick an alternative password manager that is better designed. LastPass is mentioned in the article which is brilliant.