At 2pm this afternoon TfL locked everyone out of their online accounts pending a password reset. All you need to do is click on the forgotten password link and enter your registered email address. If that address exists on the system you’ll be sent a link to enable you to set a new password. Once done everything will work again. While locked out, all Oyster cards and contactless cards will still work for travel, and topups can be made at stations and ticket stop shops.
The beginning of this story dates back to August when a number of TfL accounts were accessed maliciously using a list of email addresses and passwords stolen from other companies. Where people have re-used the same password on multiple sites the hackers were able to get in. TfL spotted something was up because there were suddenly a large number of invalid logins using email addresses that didn’t exist on their system. The online system was taken down immediately, limiting the success of the attack, and affected customers were contacted. No financial data was stolen. It’s worth reiterating that this attack was not due to anything that TfL had or hadn’t done, it was purely down to people using the same password for multiple accounts. Indeed it’s thanks to the quick work of TfL’s engineers that the attack wasn’t more successful.
When TfL bought the system back up again they’d added the captcha page designed to catch out robots and prevent the mass login attempts. Speed was of the essence in giving people access to their accounts again, so the captcha process was fairly crudely implimented. It was tidied up a little a few days later and the intention is to properly integrate the captcha into the online experience in the near future. Since August TfL have been monitoring the situation and it’s clear that other people are still trying to test accounts using other hacked data. The decision was therefore taken to force everyone to change their passwords. This means that TfL can now concentrate on moving forwards.
Shashi Verma, Chief Technology Officer at Transport for London said:
Protecting our customers’ data is paramount and we want to help our customers to ensure their personal accounts remain safe. As part of this continuing work, we have recently begun making all Oyster and Contactless online account holders reset their passwords when they next sign in. Customers can reset their account passwords quickly by visiting tfl.gov.uk/reset-password and following the on screen instructions.
This is a precautionary measure due to earlier reported instances of a very small number of accounts being accessed maliciously using data obtained from non-TfL websites.
This is a routine step to enhance the security of our online accounts. Customers will still be able to travel using an Oyster or Contactless card, as well as top up their cards at a ticket machine or an Oyster Ticket Stop.