Great Western Rail has taken the precaution of resetting the passwords for all its customers after detecting a limited campaign of password reuse attacks.
As reported by The Register, the British train operating company detected password reuse attacks against some of its customers’ GWR.com accounts. In total, it found that bad actors had targeted 1,000 accounts out of a million. The railway firm responded by notifying all affected customers and contacting the United Kingdom’s Information Commissioner’s Office (ICO).
No information was available about the attacks on GWR.com at the time of publication.
It’s unclear what types of information the bad actors might have stolen if they were successful in gaining access to a customer’s account. In a tweet to a concerned individual, it said that it disclosed that knowledge to affected customers only and did not make it publicly known.
Hi Stuart. We have only sent this information to people directly affected. -Rachel
— GWR Help (@GWRHelp) April 11, 2018
Great Western Rail told The Register the incident was limited in scope. But that didn’t stop it from sending out an email to all GWR.com account holders informing them it had reset their passwords and that they’d need to protect their accounts with a new combination.
To ensure the security of your personal information you will need to do this when you next log in to the GWR.com website. You should use a unique password for each of your accounts for security, and we recommend you review all of your accounts for maximum security, and we recommend you review all your online passwords and change any that are the same.
Some customers thought the email from Great Western Rail was a scam.
@GWRHelp Hi there, I've received an email claiming to be from GWR about how my "password has been reset" due to an attempted hack. Is this legitimate? I can provide more info if needed. Thanks in advance! pic.twitter.com/3Yh7AaXaMu
— Laura (@lanttans) April 10, 2018
@GWRHelp Is this email about the possibility of my account being hacked and the need to change password legitimate? It doesn’t read very well in para 3 so thought I’d check. Received today at 5.30 from firstname.lastname@example.org pic.twitter.com/jVgQb8Dwoi
— Elizabeth G (@mayfieldmassive) April 10, 2018
The rail company responded to those concerns by confirming the legitimacy of the email.
To protect their accounts against password reuse attacks, customers should activate additional security features like two-factor authentication (2FA) when web services make them available. They should also protect their accounts with a strong, unique password. Here are some expert tips on how to do so.