Dutch energy supplier Eneco has warned tens of thousands of clients, including business partners, to change their passwords amid a recent data breach.
Eneco, a producer and supplier of natural gas, electricity and heat in the Netherlands, serves more than 2 million business and residential customers.
In a recent statement, the company said that “cyber criminals have used email addresses and passwords from previous thefts at other websites to gain access to approximately 1,700 private and small business My Eneco accounts, the online environment for Eneco customers.”
It claims affected customers may have had their data “viewed and possibly changed by third parties,” but doesn’t go into detail about the nature of the data, nor does it mention that attackers may use it to conduct phishing campaigns or fraud – which is typically the case in such attacks.
The company adds that “affected customers have been notified and must create a new account with a different password.”
“We are investigating whether we can also take additional measures to further secure logging in to My Eneco,” adds the notice, obtained by Databreaches.net.
All affected customers have been sent an email with instructions on how to create a new My Eneco account.
A separate group of approximately 47,000 customers is also being informed by email about the incident “as a precaution.” Eneco claims that, for this group, there is no reason to assume that their accounts have been viewed. However, because these customers also used the service around breach time, “they are advised to change their password as a precaution.”
The company seems to be taking little responsibility for the incident, despite suffering what appears to be a textbook, credential-stuffing attack.
Furthermore, it seems to place the burden on users to create a new account and password when it should have automatically reset all affected users’ passwords as soon as it learned of the intrusion, as a first step towards severing the attackers’ access to their profiles.
The attackers apparently used a classical credential stuffing technique leveraging stolen data from previous breaches, meaning such an attack could have been prevented as easily as by enforcing multi-factor authentication for customer accounts.
To its credit, the firm swiftly reported the incident to the Dutch Data Protection Authority and is now informing all customers through various channels of the importance of good password hygiene, “so that such attacks can be prevented even better in the future, both at Eneco and other online accounts,” it says.