Tesco blocks 620,000 Clubcard accounts after security scare

Using unique passwords can curb credential stuffing attacks.


Over 600,000 Tesco Clubcard owners are being sent new cards after the supermarket giant determined hackers had attempted to access accounts.

In an email sent to affected Clubcard users, Tesco said it had spotted fraudulent activity related to some customers’ Clubcard vouchers.

As a precaution, Tesco has locked customers’ accounts and Clubcard vouchers. The retailer, which says that no customer financial information was accessed, believes that hackers may have attempted to break into accounts by using a database of usernames and passwords stolen from a different site.

Sign up to our free newsletter.
Security news, advice, and tips.

Tesco email

It appears that Tesco Clubcard customers have fallen victim to what’s known as a “credential stuffing” attack. This is where a malicious attacker attempts to log into accounts without permission, using usernames and passwords that have leaked from data breaches that have happened in the past on unrelated websites.

Such attacks will, of course, be unsuccessful if users have been careful not to reuse the same password on different websites. Unfortunately, far too many people do still recycle the same passwords – rather than use a strong, hard-to-crack, unique password generated by a password manager.

New Clubcards are expected to arrive by March 16 2020. In an FAQ, Tesco is advising that once replacement cards have been delivered, old cards should be “securely destroyed”, and has reassured customers that “no one will lose the value of any of their Clubcard vouchers or points.”

This isn’t the first time Tesco Clubcard owners have found themselves rocked by a security scare.

Back in 2014, a database of over 2000 Clubcard usernames and passwords were published on the internet. Again, the data is thought to have been collected from other unrelated data breaches – rather than a hack at Tesco itself – underlining the importance of never using the same password on different sites.

Found this article interesting? Follow Graham Cluley on Twitter, Mastodon, or Threads to read more of the exclusive content we post.

Graham Cluley is a veteran of the cybersecurity industry, having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent analyst, he regularly makes media appearances and is an international public speaker on the topic of cybersecurity, hackers, and online privacy. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.