TfL resets passwords for every Oyster account in London

No Disney+ shenanigans for the tube

AUNTIE BEEB of transport, Transport For London (TfL) has taken drastic action in the wake of a relatively tiny security incident.

Cast your mind back to August - the weather was fairly lousy and TfL confirmed that around 1200 Oyster accounts had been hacked.

For the not-of-London, an Oyster card is London's joined-up RFID powered travel card - custodian of top-up fares and annual season tickets alike.

Although that was a minor hack in relative terms, TfL has decided to take action to ensure that nothing like it happens again and has decided to reset everyone's passwords.

That means, if you have an online account to manage your Oyster card, next time you log in, you'll find that you're effectively locked out of your account. You just need to request a password reset and one will be sent to your email. If you don't have access to that email address anymore but haven't updated, more fool you.

TfL hasn't made the decision off the back of any specific threat. What it is going after is the practice of ‘credential stuffing' - using credentials from other hacks to access accounts where the same password has been used.

It's the same trick that has seen credentials for Disney+ being sold, despite no hack actually having taken place - if you use the same password on multiple sites, there's no actual need for a hack.

All new passwords will need at least eight characters - a mixture of lower and upper case and numbers and its a term of use that you don't share them with anyone else - which means not using the same password on multiple sites.

TfL emphasises that this isn't going to affect the functionality of cards - your travel plans will not be affected - it only applies to your online account.

Given that for the most part, Oyster "just works", you probably haven't checked it in years anyway.

If you want to get ahead of the game, you can reset your password now at this link. μ