Londonist are reporting that TfL have taken a ‘precautionary measure’ to protect Oyster and contactless online accounts from potential malicious use:
The transport giant has taken steps on Thursday afternoon (November 28) to protect all of its Oyster and contactless customers who use the
London Underground by forcing everyone to reset their online passwords.
The news comes after TfL became aware in August 2019 that a small number of customers had their online accounts accessed maliciously.
TfL believes that this occurred after their login credentials were compromised when using non-TfL websites - commonly known as ‘credential stuffing’.
No customer payment details were accessed and all affected customers were contacted and informed about this at the time.
But TfL says it wants to reduce the risk of further incidents happening in the future so taken this action as a precautionary measure.
While their account is locked, customers will still be able to travel on Tubes, buses and trains using their Oyster or contactless card, as well as top up their cards at a ticket machine or an Oyster ticket stop.
Notably I also had to
prove I’m not a robot a few times before trying to log in.
I’m sure some
# may have something to add, but at least to me it doesn’t make exact sense to force all passwords to be reset for the reasons given; more likely they lost the database somehow, back before August I’d guess. geeks