Transport for London’s Oyster card accounts compromised in credential stuffing attack

• Attackers accessed customers’ Oyster accounts using a list of stolen usernames and passwords obtained from other sources.
• TFL suspended online Oyster card accounts and has implemented additional security measures to prevent further intrusion.

What is the issue?

Transport for London disclosed that a few online Oyster travel smartcard accounts have been compromised in a credential stuffing attack.

What happened?

Attackers accessed customers’ Oyster accounts using a list of stolen usernames and passwords obtained from other sources.

Due to this incident, users faced issues while accessing their online accounts. Upon learning the incident, TFL launched an investigation to determine the source and extent of the incident.

Meanwhile, the UK capital's transport authority noted that this incident occurred due to users reusing their login credentials for their Oyster accounts that were also used for one or more hacked websites.

What is the impact?

• The investigation determined that around 1,200 Oyster card customer accounts had been compromised.
• However, no customer payment details were compromised in the incident.

What actions were taken?

• Upon discovery, the London Transport Authority reported the incident to the National Cyber Security Centre and British Transport Police.
• TFL suspended online Oyster card accounts and has implemented additional security measures to prevent further intrusion.
• Further, TFL has requested all customers to never reuse the same passwords across multiple sites.

“While this is a very small proportion of our 6 million online Oyster card account holders, we want to be absolutely safe and to protect our customers’ accounts so have temporarily suspended online contactless and Oyster accounts while we put additional security measures in place,” Transport for London told The Register.