AKRON, OHIO — FirstEnergy is advising customers of a problem with security on its website — and saying new passwords will be required to access online accounts.
“As part of our security processes to help keep your accounts safe, we regularly monitor FirstEnergy’s website and customer online accounts,” the parent company of Penelec, West Penn Power and several other electric companies posted.
In a statement issued over the weekend, FirstEnergy went on to say it “recently detected suspicious activity involving numerous unauthorized attempts to log into customer accounts.”
To be exact, FirstEnergy spokeswoman Jennifer Young said Monday, “we had an increase last week. On Friday night we took the action to lock all our customer accounts.”
Specifically, FirstEnergy went on in its posting, “out of an abundance of caution, we have disabled all online account access and are requiring our customers to reset their passwords to access their FirstEnergy ‘My Account.’”
The problem involved something called “credential stuffing.” As Young put it, “someone buys a list of credentials from one source then tries them on a variety of sites.”
“We have about 6 million customers total across all of our states,” Young said. “Only a portion of those have online accounts.”
Such accounts can be utilized to pay bills online, check the status of ongoing power outages, analyze one’s electrical usage and submit meter readings, and receive email and text alerts.
The Akron, Ohio-based holding company said, “while the vast majority of these attempts were unsuccessful, we became aware that a number of unauthorized logins were completed.”
Young said the hacker or hackers used credentials that likely came from outside FirstEnergy, and that “only a small percentage were successful.”
Even with that, she said, there is no evidence that the hacker or hackers accessed any sensitive customer information.”
And, she went on, “there was no impact on our electric service. No impact on our operations.”
However, because of this latest problem, the company said customers “will not be able to access your account until the password update process has been completed.”
As customers are being directed on firstenergycorp.com, “to reset your password, enter your username and email address associated with your online profile. You will then be sent a link to complete the password update process with best practices for setting a strong password.”
“When you set passwords online,” Young said, “don’t reuse an old password. If someone has it on a list somewhere they could still use it today.”
The utility holding company said those with questions can visit “Contact Us” on that website if they have any questions or need assistance.