This article is more than 1 year old

Transport for London Oyster system pulled offline after credential-stuffing crooks board customers' accounts

Public sector bods blame users recycling logins

Exclusive Transport for London's online Oyster travel smartcard system has been accessed by miscreants using stolen customer login credentials, The Reg can reveal, forcing IT bods to pull the website offline for a second day.

The UK capital's transport authority has blamed the intrusions on passengers who have used email address and password combinations for their Oyster accounts that were also used for one or more hacked websites: criminals who have nicked login details from other sites can use that information to get into the Oyster accounts of people who reuse the same usernames and passwords everywhere. This technique is known as credential stuffing.

A TfL spokesperson told us: "We believe that a small number of customers have had their Oyster online account accessed after their login credentials were compromised when using non-TfL websites. No customer payment details have been accessed, but as a precautionary measure and to protect our customers' data, we have temporarily closed online contactless and Oyster accounts while we put additional security measures in place."

In fiscal year 2018/19 nearly a billion rail, tram and bus journeys were made using Oyster cards, netting TfL a cool £2.3bn in revenue, according to its own statistics.

Over the past couple of days, increasing numbers of users noticed that they could not log in online and check their smartcards' balances or top them up with cash.

In tweets from Londoners asking why they can't access their online accounts and do things like cancel standing orders or change card details, TfL repeatedly insisted that the problem was "performance issues impacting users".

TfL's response to the attack on the accounts included taking down staff access to Oyster systems as well, though Londoners using ticket machines to top up at stations seem unaffected so far.

TfL also told us: "We will contact those customers who we have identified as being affected and we encourage all customers not to use the same password for multiple sites.”

The transport authority did not say how many users had been affected. ®

Updated to add at 1629 UTC 8 August

TfL got in touch to tell The Reg: "We have identified around 1,200 accounts that have been accessed maliciously.

"While this is a very small proportion of our 6 million online Oyster card account holders, we want to be absolutely safe and to protect our customers’ accounts so have temporarily suspended online contactless and Oyster accounts while we put additional security measures in place."

In short, don't use the same username and password combination across multiple websites.

More about


Send us news

Other stories you might like