CLEVELAND — FirstEnergy customers are being asked to reset their password “out of an abundance of caution” after the company detected suspicious activity involving numerous attempts to log into customer accounts using credentials obtained from a source outside of FirstEnergy, according to Jennifer Young, spokesperson for the company.
The electric company began informing customers Saturday via email of the need to reset their passwords following the attempted breach.
Young said the routine check of FirstEnergy’s website and customer online accounts revealed what is commonly referred to in cybersecurity as password or credential stuffing. This can happen when someone obtains a list of credentials from one source and tries them on a variety of sites.
“While the vast majority of these attempts were unsuccessful, we became aware that a number of unauthorized logins were completed,” Young said. "While I’m not able to provide the number of our customers who have online accounts or the number of unauthorized logins, we are requiring all FirstEnergy customer who utilize an online account to reset their password."
For cyber security experts keeping seperate passwords for each account is the first line of defense against hacking attempts.
"Hacking of different types is going to be the number one crime," said Timothy Dimoff with SACS Consulting in Akron. "It's not a crime where we can physically just, easily, go and knock on their door and arrest them."
FirstEnergy said none of its networks were accessed without authorization and none of its operations were impacted.
The information available through a customer’s online account includes the person’s name, street address, email address, phone number, account number and the last four digits of any associated banking accounts previously authorized for bill payment.
“We have no evidence that any of the suspicious logins altered, accessed or retrieved any of that information. Importantly, no sensitive customer information, such as complete bank account or credit card information, is available through the online account access.,” Young said in a statement.
Despite that, Dimoff warns people to change everything.
"Anywhere that password is utilized, it should be changed," he said.
FirstEnergy suggests customers follow these practices when resetting their password:
- Do not reuse old passwords.
- Do not use the same password for multiple online accounts. Every password should be unique.
- Do not reveal your password to others.
- Do not use words that can be found in the dictionary.
- Follow the complexity requirements of the website (e.g., length of password, required use of special characters).
- Do not use passwords that contain information about you (e.g., your birthday).
Download the News 5 Cleveland app now for more stories from us, plus alerts on major news, the latest weather forecast, traffic information and much more. Download now on your Apple device here, and your Android device here.