At 2pm this afternoon TfL locked everyone out of their online accounts pending a password reset. All you need to do is click on the forgotten password link and enter your registered email address. If that address exists on the system you’ll be sent a link to enable you to set a new password. Once done everything will work again. While locked out, all Oyster cards and contactless cards will still work for travel, and topups can be made at stations and ticket stop shops.
The beginning of this story dates back to August when a number of TfL accounts were accessed maliciously using a list of email addresses and passwords stolen from other companies. Where people have re-used the same password on multiple sites the hackers were able to get in. TfL spotted something was up because there were suddenly a large number of invalid logins using email addresses that didn’t exist on their system. The online system was taken down immediately, limiting the success of the attack,