Great Western Rail is urging all customers to change their GWR.com passwords after miscreants gained access to strangers' accounts over the last week.
The British train company said circa 1,000 accounts were directly affected out of more than a million, and has written to those customers and the UK Information Commissioner's Office.
It appears scumbags took username and password combinations leaked from other hacked websites and services, and used those to log into GWR.com accounts that had reused those credentials. This is a common attack known as credential stuffing.
"We are now asking other account holders to do the same as a precaution against potential further attempts," GWR told The Register.
"This kind of attack uses account details harvested from other areas of the web to try and catch out consumers with poor password habits. Sadly, it is the kind of attack that is experienced on a daily basis by businesses across the globe, and is a reminder of the importance of good password practice.
"We have acted quickly and decisively with our partners to protect our customers' data, and have taken clear steps to stop it happening again."
In a general email to account holders, GWR said it has reset all GWR.com passwords as a precaution: "To ensure the security of your personal information you will need to do this when you next log in to the GWR.com website.
"You should use a unique password for each of your accounts for security, and we recommend you review all of your accounts for maximum security, and we recommend you review all your online passwords and change any that are the same."
However, some customers who received the email were concerned the note may have been sent by scammers.
@GWRHelp Hi there, I've received an email claiming to be from GWR about how my "password has been reset" due to an attempted hack. Is this legitimate? I can provide more info if needed. Thanks in advance! pic.twitter.com/3Yh7AaXaMu— Laura (@lanttans) April 10, 2018
@GWRHelp Is this email about the possibility of my account being hacked and the need to change password legitimate? It doesn’t read very well in para 3 so thought I’d check. Received today at 5.30 from firstname.lastname@example.org pic.twitter.com/jVgQb8Dwoi— Elizabeth G (@mayfieldmassive) April 10, 2018
@GWRHelp I’ve just had an email from GWR saying to change my password - is this legitimate? I wasn’t necessarily aware I had an account.— Grant Brisland (@GBrisland) April 10, 2018
The Register has asked GWR for further comment. ®