Credentials stuffing attack prompts password resets for Sky customers

SkyImage: ZDNet

British telco Sky has locked iD accounts as a safety measure following a credentials stuffing attack detected last month.

The measure was taken as a precaution, the company told ZDNet via email.

Hackers accessed some email accounts following last month’s credentials stuffing attack, but those users had their accounts locked and were notified at the time.

The accounts that have been locked yesterday have not been breached, the company told us.

Instead, Sky said they were locking accounts and prompting users to reset their passwords “as [a] good password management practice.”

Customers are being notified via email, asked to visit a page on the company’s site, where they’re asked to call a phone number where an automate system will unlock their accounts, and then go through a series of steps to reset their Sky iD account passwords.

Depending on when a Sky user has received an email notification from the company, they can tell if their account has been accessed by hackers, or not.

Credential stuffing attacks are when hackers use username and password combinations that have been made public through security breaches at other companies, and use them to gain access to accounts on other services, hoping that users had reused passwords across accounts.

These types of attacks have been growing in frequency at an alarming rate since last year.

Companies like ad blocker AdGuard, banking giant HSBC, social media site Reddit, video sharing portal DailyMotion, delivery service Deliveroo, enterprise tool Basecamp, restaurant chain Dunkin’ Donuts, and tax filing service TurboTax have all publicly acknowledged being on the receiving end of credential stuffing attacks, where hackers had gained access to some accounts.

More data breach coverage: