Boots suspends loyalty card payments after hackers try to compromise accounts

Boots suspends loyalty card payments after hackers try to compromise accounts

Hot on the heels of Tesco warning that hackers had attempted to access the accounts of Clubcard users, another UK high street retailer has warned that it has similarly been attacked.

Boots Advantage Card holders are temporarily prevented from using loyalty points from their accounts to pay for products in stores or on the Boots website, after a reported 140,000 of the pharmacy’s 14.4 million Advantage Card holders were targeted.

Boots, like Tesco, says that its own systems were not compromised, and no payment card information has been accessed. Instead, this appears to have been another credential-stuffing attack where hackers use a database of usernames and passwords stolen from a different site to see what else they might unlock.

Sign up to our free newsletter.
Security news, advice, and tips.

The problem here is that far too many people use the same password for different sites. That’s like using the very same key to lock your bicycle, your house, your car, the door to the bank vault where your money is kept. If you happen – perhaps through no fault of your own – to have one key stolen, it can be used by criminals to steal your possessions elsewhere.

This is one of the reasons why it’s so essential to never re-use passwords. If you find it too hard to remember all of your passwords (you will if you’re doing it properly) then you should invest in a password manager to do it for you.

In a statement Boots confirmed that it had suspended payments, in an attempt to prevent hackers from using the points to buy products themselves, and would be notifying affected customers:

Our customers’ safety and security online is very important to us. We can confirm we are writing to a small number of our customers to tell them that we have seen fraudulent attempts to access accounts. These attempts can be successful if people use the same email and password details on multiple accounts.

We would like to reassure our customers that these details were not obtained from Boots. We are aware that other organisations may be impacted too.

As an extra precaution we have temporarily stopped payment by Boots Advantage Card points on or in store. This removes the ability for people to attempt to access any Boots accounts, but means that customers will not be able to use Boots Advantage Card points to pay for products in store and online for a short period of time.

Sure enough, Boots customers are reporting that they have received the following email warning them that someone has been trying to break into their Advantage Card account using stolen credentials:

Boots email

Boots customers would be wise to reset their passwords, and choose a unique, hard-to-crack new password.

With the credential-stuffing attacks hitting both Tesco and Boots loyalty card owners in rapid succession it wouldn’t be a surprise if the attackers use the database of stolen credentials at their disposal in other attempts to breach accounts.

Retailers would be wise, therefore, to ensure that they have measures in place to reduce the chances of credential-stuffing attack succeeeding. These include – but are not limited to – multi-factor authentication (MFA).

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.