Npower has had to remove its app after login data was stolen to access customer accounts.

The energy provider, owned by E.ON – one of the UK’s big six energy suppliers – is yet to reveal how many people could have been affected by the cyber attack.

It is believed that personal contact details and partial financial information may have been obtained, according to, although full account numbers appear not to have been taken.

Npower said it has alerted those who may have been affected and “immediately locked” their accounts.

“We identified suspicious cyber activity affecting the npower mobile app, where someone has accessed customer accounts using login data stolen from another website. This is known as credential stuffing,” the company said in a statement.

“We’ve contacted all affected customers to make them aware of the issue, encouraging them to change their passwords and advice on how to prevent unauthorised access to their online account.

“We immediately locked any online accounts that were potentially affected, blocked suspicious IP addresses and took down the npower app.”

The Information Commissioner’s Office (ICO) and Action Fraud have been informed of the incident.

Npower said the app was already set to be withdrawn as part of “existing wind-down plans”.

“Protecting customers’ security and data is our top priority and our robust defences helped us to identify this recent attack,” the firm added.

“It’s important we all continue to stay secure online and urge customers to avoid reusing the same password across multiple websites.”

The ICO confirmed it had been notified, saying: “Npower has made us aware of an incident affecting their app and we are making enquiries.”