Tube travellers have had their online payment accounts hacked, according to Transport for London (TfL).
Some 1,200 customers attempting to access their online Oyster card accounts have reported being denied access since Wednesday.
TfL said while no customer payment details had been breached it had “temporarily suspended” online contactless and Oyster accounts.
The transport body has six million online Oyster account holders.
A spokeswoman said the numbers compromised is believed to be small and an initial investigation indicated the Oyster online service had not been compromised.
“As a precautionary measure and to protect our customers’ data, we have temporarily suspended online contactless and Oyster accounts while we put additional security measures in place.”
TfL said it believed hackers accessed the accounts of Oyster customers via a third party breach; people who might have recycled their passwords and logins for other websites.
The technique is known as “credential stuffing” and was first reported by The Register.
“We encourage all customers not to use the same password for multiple sites,” said TfL.
The London transport body said it would be contacting customers affected and had reported the incident to the National Cyber Security Centre and British Transport Police.