Boots suspends loyalty card payments after hackers try to compromise accounts

Graham Cluley
@gcluley

Hot on the heels of Tesco warning that hackers had attempted to access the accounts of Clubcard users, another UK high street retailer has warned that it has similarly been attacked.

Boots Advantage Card holders are temporarily prevented from using loyalty points from their accounts to pay for products in stores or on the Boots website, after a reported 140,000 of the pharmacy’s 14.4 million Advantage Card holders were targeted.

Boots, like Tesco, says that its own systems were not compromised, and no payment card information has been accessed. Instead, this appears to have been another credential-stuffing attack where hackers use a database of usernames and passwords stolen from a different site to see what else they might unlock.

Sign up to our newsletter
Security news, advice, and tips.

The problem here is that far too many people use the same password for different sites. That’s like using the very same key to lock your bicycle, your house, your car, the door to the bank vault where your money is kept. If you happen – perhaps through no fault of your own – to have one key stolen, it can be used by criminals to steal your possessions elsewhere.

This is one of the reasons why it’s so essential to never re-use passwords. If you find it too hard to remember all of your passwords (you will if you’re doing it properly) then you should invest in a password manager to do it for you.

In a statement Boots confirmed that it had suspended payments, in an attempt to prevent hackers from using the points to buy products themselves, and would be notifying affected customers:

Our customers’ safety and security online is very important to us. We can confirm we are writing to a small number of our customers to tell them that we have seen fraudulent attempts to access boots.com accounts. These attempts can be successful if people use the same email and password details on multiple accounts.

We would like to reassure our customers that these details were not obtained from Boots. We are aware that other organisations may be impacted too.

As an extra precaution we have temporarily stopped payment by Boots Advantage Card points on boots.com or in store. This removes the ability for people to attempt to access any Boots accounts, but means that customers will not be able to use Boots Advantage Card points to pay for products in store and online for a short period of time.

Sure enough, Boots customers are reporting that they have received the following email warning them that someone has been trying to break into their Advantage Card account using stolen credentials:

Boots customers would be wise to reset their passwords, and choose a unique, hard-to-crack new password.

With the credential-stuffing attacks hitting both Tesco and Boots loyalty card owners in rapid succession it wouldn’t be a surprise if the attackers use the database of stolen credentials at their disposal in other attempts to breach accounts.

Retailers would be wise, therefore, to ensure that they have measures in place to reduce the chances of credential-stuffing attack succeeeding. These include – but are not limited to – multi-factor authentication (MFA).

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.