Tesco blocks 620,000 Clubcard accounts after security scare

Using unique passwords can curb credential stuffing attacks.

Tesco

Over 600,000 Tesco Clubcard owners are being sent new cards after the supermarket giant determined hackers had attempted to access accounts.

In an email sent to affected Clubcard users, Tesco said it had spotted fraudulent activity related to some customers’ Clubcard vouchers.

As a precaution, Tesco has locked customers’ accounts and Clubcard vouchers. The retailer, which says that no customer financial information was accessed, believes that hackers may have attempted to break into accounts by using a database of usernames and passwords stolen from a different site.

Sign up to our free newsletter.
Security news, advice, and tips.

Tesco email

It appears that Tesco Clubcard customers have fallen victim to what’s known as a “credential stuffing” attack. This is where a malicious attacker attempts to log into accounts without permission, using usernames and passwords that have leaked from data breaches that have happened in the past on unrelated websites.

Such attacks will, of course, be unsuccessful if users have been careful not to reuse the same password on different websites. Unfortunately, far too many people do still recycle the same passwords – rather than use a strong, hard-to-crack, unique password generated by a password manager.

New Clubcards are expected to arrive by March 16 2020. In an FAQ, Tesco is advising that once replacement cards have been delivered, old cards should be “securely destroyed”, and has reassured customers that “no one will lose the value of any of their Clubcard vouchers or points.”

This isn’t the first time Tesco Clubcard owners have found themselves rocked by a security scare.

Back in 2014, a database of over 2000 Clubcard usernames and passwords were published on the internet. Again, the data is thought to have been collected from other unrelated data breaches – rather than a hack at Tesco itself – underlining the importance of never using the same password on different sites.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky and Mastodon, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.