TfL acts for a second time following August security breach - again blaming the risk of credential stuffing
November 29, 2019 By Graeme Burton
Oyster card users with online accounts have had their passwords reset by Transport for London - an indication that the August admission of a data breach might be far larger than originally suggested.
TfL chief technology officer Shashi Verma described it as a "precautionary measure due to earlier reported instances of a very small number of accounts being accessed maliciously using data obtained from non-TfL website. This is a routine step to enhance the security of our online accounts."
Password resets are typically forced on users to mitigate the risks of a credential stuffing attack. Oyster card users with accounts will need to reset their passwords, with the password being sent to the user's registered email address.