At 2pm this afternoon TfL locked everyone out of their online accounts pending a password reset. All you need to do is click on the forgotten password link and enter your registered email address. If that address exists on the system you’ll be sent a link to enable you to set a new password. Once done everything will work again. While locked out, all Oyster cards and contactless cards will still work for travel, and topups can be made at stations and ticket stop shops.
The beginning of this story dates back to August when a number of TfL accounts were accessed maliciously using a list of email addresses and passwords stolen from other companies. Where people have re-used the same password on multiple sites the hackers were able to get in. TfL spotted something was up because there were suddenly a large number of invalid logins using email addresses that didn’t exist on their system. The online system was taken down immediately, limiting the success of the attack, and affected customers were contacted. No financial data was stolen. It’s worth reiterating that this attack was not due to anything that TfL had or hadn’t done, it was purely down to people using the same password for multiple accounts. Indeed it’s thanks to the quick work of TfL’s engineers that the attack wasn’t more successful.
When TfL bought the system back up again they’d added the captcha page designed to catch out robots and prevent the mass login attempts. Speed was of the essence in giving people access to their accounts again, so the captcha process was fairly crudely implimented. It was tidied up a little a few days later and the intention is to properly integrate the captcha into the online experience in the near future. Since August TfL have been monitoring the situation and it’s clear that other people are still trying to test accounts using other hacked data. The decision was therefore taken to force everyone to change their passwords. This means that TfL can now concentrate on moving forwards.
Shashi Verma, Chief Technology Officer at Transport for London said:
Protecting our customers’ data is paramount and we want to help our customers to ensure their personal accounts remain safe. As part of this continuing work, we have recently begun making all Oyster and Contactless online account holders reset their passwords when they next sign in. Customers can reset their account passwords quickly by visiting tfl.gov.uk/reset-password and following the on screen instructions.
This is a precautionary measure due to earlier reported instances of a very small number of accounts being accessed maliciously using data obtained from non-TfL websites.
This is a routine step to enhance the security of our online accounts. Customers will still be able to travel using an Oyster or Contactless card, as well as top up their cards at a ticket machine or an Oyster Ticket Stop.
I didn’t realise this was something that had happened deliberately and only noticed something was wrong when logging into my account didn’t work.
I feel it’s kind of poor that TfL didn’t contact users to tell them that this has happened tbh.
Hi Aidy,
I tend to agree and have passed your feedback over to TfL.
I agree – TFL should have pro-actively contacted customers who might need to change passwords elsewhere if they know they have used the same one on a number of sites. Not telling them has left them vulnerable. I am still locked out now!
Hi Danielle,
There’s a difference between having your account accessed and just being asked to change your password as a precautionary matter. If TfL had evidence that your account had been accessed maliciously then you would have been contacted.
If you are still having problems getting into your account because the password has been changed then please call the helpdesk.