Npower, one the UK's big six energy providers serving serving 3.6 million residential and business accounts, has shut down its mobile app after hackers accessed customers accounts, inluding partial bank details.
Npower says customer accounts were accessed using login data obtained from other websites - a common technique used by hackers, known as 'credential stuffing'.
The firm won't say how many accounts were hacked, though it says not all accounts were affected and customers whose accounts were accessed have now been contacted.
Data at risk includes personal information, such as dates of birth and addresses, bank sort codes and the last four digits of account numbers, and contact preferences.
An Npower spokesperson says: "We immediately locked any online accounts that were affected, blocked suspicious IP addresses and deactivated the Npower app. We’ve also notified the Information Commissioner’s Office and Action Fraud. Protecting customers’ security and data is our top priority."
Npower says it has shut down its app in the wake of the attack and does not intend to relaunch it.