Cyberattack on London's Oyster transport payment system

Transport for London (TfL), the agency responsible for public transport in the British capital, revealed that some contactless card accounts in Oyster, the payment system for transport, were accessed by unidentified cyberattackers.

The type of attack used is called credential stuffing and consists of attackers automatically gaining access to accounts through user-password pairs extracted in some filter, taking advantage of the bad practice of reusing credentials on different websites.

In an statement to The Register media, a TfL spokesperson commented that they had identified some 1200 illegally accessed accounts, although payment details have not been disclosed. As a precaution, they have temporarily closed the contactless and Oyster accounts, while improving the security of the platform, and have contacted affected users.