Sign up to FREE email alerts from MyLondon - London Underground News Subscribe Thank you for subscribing See our privacy notice Invalid Email

London commuters may have noticed their Transport for London online accounts have suddenly been locked.

The transport giant has taken steps on Thursday afternoon (November 28) to protect all of its Oyster and contactless customers who use the London Underground by forcing everyone to reset their online passwords.

The news comes after TfL became aware in August 2019 that a small number of customers had their online accounts accessed maliciously.

TfL believes that this occurred after their login credentials were compromised when using non-TfL websites - commonly known as 'credential stuffing'.

No customer payment details were accessed and all affected customers were contacted and informed about this at the time.

But TfL says it wants to reduce the risk of further incidents happening in the future so taken this action as a precautionary measure.

Accounts will become unlocked once customers request a reset for their password. This will then be sent via a link sent to their registered email account to ensure further protection.

When reset, passwords will need to be at least eight characters long and contain a mixture of numbers, upper-case letters and lower-case letters.

Customers should also ensure their accounts stay secure by never sharing their password or account details with any third-party apps or websites - and using different passwords for online accounts.

While their account is locked, customers will still be able to travel on Tubes, buses and trains using their Oyster or contactless card, as well as top up their cards at a ticket machine or an Oyster ticket stop.

Reset your password quickly

Shashi Verma, chief technology officer at TfL, said: "Protecting our customers’ data is paramount and we want to help our customers to ensure their personal accounts remain safe.

"As part of this continuing work, we have recently begun making all Oyster and Contactless online account holders reset their passwords when they next sign in.

"Customers can reset their account passwords quickly by visiting this website and following the on-screen instructions.

Join the Mind The Gap group We've created a Facebook group for people who travel on London's bus, rail, Underground, Overground and DLR services. We will keep you informed about the latest news that affects your daily commute to work, as well as at the weekend. We'll also let you know in advance if there are any roadworks, railworks or closures you should know about, or if there are any problems on the city's tube network. Join the group here.

"This is a precautionary measure due to earlier reported instances of a very small number of accounts being accessed maliciously using data obtained from non-TfL website.

“This is a routine step to enhance the security of our online accounts."

'Don't use the same password across websites'

Dr George Loukas, associate professor in cybersecurity at the University of Greenwich, said: "It is often tempting to use the same password or slight variations on different websites. Don’t.

"Every time you hear on the news that your favourite online shop, online gaming site or online storage provider has been hacked, you can consider the username and password pairing that you used there as practically public knowledge.

"After cyber criminals get hold of your compromised credentials, they use inexpensive software that automatically checks where else you have used them – commonly known as 'credential stuffing'.

"They then often sell these on to other cyber criminals that will benefit from impersonating you, for example on your social media or to make payments online on your behalf.

"Protecting yourself from this is relatively simple. Use different passwords for every online service you use.

"If this sounds too much, then try a password manager that does it for you. If any online service you use offers two-factor authentication, then give that a try too."

TfL is working with the British Transport Police to investigate who is behind this, with one arrest made to date. The Information Commissioners Office has been notified.