Over 600,000 Tesco Clubcard owners are being sent new cards after the supermarket giant determined hackers had attempted to access accounts.
In an email sent to affected Clubcard users, Tesco said it had spotted fraudulent activity related to some customers’ Clubcard vouchers.
As a precaution, Tesco has locked customers’ accounts and Clubcard vouchers. The retailer, which says that no customer financial information was accessed, believes that hackers may have attempted to break into accounts by using a database of usernames and passwords stolen from a different site.
It appears that Tesco Clubcard customers have fallen victim to what’s known as a “credential stuffing” attack. This is where a malicious attacker attempts to log into accounts without permission, using usernames and passwords that have leaked from data breaches that have happened in the past on unrelated websites.
Such attacks will, of course, be unsuccessful if users have been careful not to reuse the same password on different websites. Unfortunately, far too many people do still recycle the same passwords – rather than use a strong, hard-to-crack, unique password generated by a password manager.
New Clubcards are expected to arrive by March 16 2020. In an FAQ, Tesco is advising that once replacement cards have been delivered, old cards should be “securely destroyed”, and has reassured customers that “no one will lose the value of any of their Clubcard vouchers or points.”
This isn’t the first time Tesco Clubcard owners have found themselves rocked by a security scare.
Back in 2014, a database of over 2000 Clubcard usernames and passwords were published on the internet. Again, the data is thought to have been collected from other unrelated data breaches – rather than a hack at Tesco itself – underlining the importance of never using the same password on different sites.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.