FirstEnergy locks online accounts, requires new passwords after hack attempt

West Penn Power parent FirstEnergy locked all of its customers online accounts Friday after a large scale attempt to break into them, a spokeswoman for the electric utility said Sunday.

There was no evidence that any information was accessed, altered or taken from customer accounts, which number in the millions, and there was no threat or impact to electric service, FirstEnergy spokeswoman Jennifer Young said.

No sensitive customer information, such as complete bank account or credit card information, is available through the online accounts, according to the company.

Customers were being contacted by email with instructions to reset their account passwords.

While routinely monitoring its website and customer online accounts, Young said FirstEnergy recently detected a large number of attempts to log into customer accounts using usernames and passwords that appeared to come from a source outside the company. While most of the attempts were not successful, Young said an unknown number of unauthorized logins were completed.

Among the accounts where login attempts were successful, Young said there were no signs that those who did so accessed the account information that is available.

Young said the attack is known as “credential stuffing,” where someone buys a list of potential usernames and passwords on the dark web and tries to use them on a large number of companies’ online accounts to see what works.

Most of the usernames and passwords that were attempted to be used are not for FistEnergy accounts, she said.

She did not know if the attempts had stopped or if they were ongoing.