The Oyster Site Was Shut down Due to Password Recycling

So you wanted to get an Oyster card, top it up, or buy a season ticket, but when you tried to do so via the official website, you were not able to do it. Although the services are fully restored now, just a few days ago, the users of Oyster accounts were denied access. At first, it seemed as if TfL (Transport for London) was experiencing maintenance issues, but it was soon revealed that access to online contactless and Oyster accounts were suspended due to a security issue. It was reported by the BBC, that the issue affected around 1,200 customers, which, in the grand scheme of things, is not so terrible, considering that there are over 6 million account holders in total. So, what happened? It is believed that the security issue occurred because customers were not cautious when setting up their Oyster passwords.

TfL informs that the data breach did not affect payment details

Oyster passwords were affected when attackers employed a credential stuffing attack, according to BBC. You can read all about password/credential stuffing here, but, basically, it is the kind of attack during which cybercriminals use illegally obtained passwords, usernames, login email addresses, and other sensitive information to gain access to other users’ accounts illegally. Unfortunately, in some cases, people use the same email addresses and usernames, and, on top of that, they recycle the same passwords. That is a recipe for disaster. If cybercriminals obtain login credentials of one account during a data breach, they can try to use the same credentials to gain access to other accounts. TfL believes that that is exactly what happened on Wednesday. In many cases, even large data breaches remain undetected and unreported for weeks, months, and sometimes even years. Therefore, it is hard to say, which data breach the Oyster password-related issue might be linked to.

The good news is that the payment details associated with Oyster accounts appear to have been unbreached. TfL informed that it would be contacting the affected users directly with more information, but even if you were not one of the affected customers, it might be time to secure your Oyster password and account. The recent account hacking might not have affected customers badly, but the next hack could be much worse, and we cannot predict when or how it would happen. This is why you want to be prepared and ready. The first thing you might want to do is figure out how to change Oyster password.

What happens when people reuse Oyster passwords?

If you reuse your Oyster password – or any password, for that matter, you put yourself at risk of a potential data breach. You now know how credential stuffing attacks work, but what exactly can cyber attackers do once they gain access to your accounts? That pretty much depends on what kind of account is breached. For example, when it comes to Oyster accounts, you could be at risk of having available funds transferred to a different account. Unfortunately, cybercriminals can be much more dangerous. If they accessed your social media accounts, they could try to change passwords, and lock you out. Without you in control, the attackers could impersonate you, and use your name and reputation to spread scams and malware using malicious and misleading links and attachments posted publicly or sent directly to your friends, family, or colleagues.

Cybercriminals could also try to invade more sensitive accounts, such as your online banking accounts, email accounts, or accounts that could put other people at risk. For example, if you are responsible for managing employees or keeping customers’ data protected, but you are not careful about the passwords you set up, you might end up being responsible for the data breaches that affect others.

How to change Oyster password?

If you believe that your Oyster password is not secure enough – which certainly is the case if it is recycled – you need to make changes immediately. First, figure out how to change Oyster password, and then do the same for all other recycled passwords. Also, note that even if the passwords you use are unique, they could still be vulnerable. A vulnerable password is a password that is short, easily guessable, does not contain numbers, special symbols, or a combination of upper and lower-case letters. A password that contains specific worlds is not considered to be strong either. For example, jamesbond007 is a weak password and M?-!8$:+@a|* is a strong alternative. Both of these combinations have 12 symbols, but they are completely different in their complexity.

Before you change your Oyster password – which you can do here – you need to think of a good, strong, and, of course, unique combination. Aim for a password that you would have a hard time remembering yourself. Doesn’t that beat the purpose? The more complicated the password is, the safer you are. Also, when it comes to password management, you do not need to do it all on your own. We advise implementing a tool that you could use to generate, save, and autofill your password when needed for free. Sounds too good to be true? Well, that is the reality. Download the free Cyclonis Password Manager and forget about your password woes today.

The tool has an integrated Password Generator that makes creating strong and unique passwords extra easy. Among many other features, it also has a Wallet feature that allows you to save credit card information, which you can have auto-filled whenever you make a new online purchase. The Cyclonis Password Manager can also save your pin codes, secret answers, and other sensitive information in Private Notes. Ultimately, it is a free tool that is bound to make your online login experience easy and, most important, safe. That being said, it will not protect you against data breaches and general carelessness, and so you need to make sure that you are always mindful and always ready to face virtual security dangers.

August 21, 2019

Leave a Reply

IMPORTANT! To be able to proceed, you need to solve the following simple math.
Please leave these two fields as is:
What is 2 + 6 ?