A list revealing more than 2000 usernames and passwords, belonging to owners of Tesco Clubcards, has been published on the internet raising concerns once again about how accounts are protected from online criminals.
The information published on the net includes usernames (in the form of an email address), password, and the balance of users’ Clubcard voucher account.
With the information, hackers could raid online accounts or sending phishing emails to Tesco customers.
According to reports, Britain’s largest supermarket chain did not have its own systems hacked – but instead it is believed fraudsters stole information from other sites, exploiting the fact that many people unwisely use the same password on multiple websites.
Remember folks: Having the same password for different websites is a recipe for disaster. If one site gets hacked, and your login credentials are stolen, then that information can be exploited elsewhere on the web.
The most sensible course of action is to use different, hard-to-crack passwords for different sites. If you find it difficult (like me) to remember lots of different passwords – you really should be using password management software.
Software like Bitwarden, 1Password, and KeePass make it easier to keep your passwords safe, and do all of the remembering for you.
There have been numerous reports in the last year of fraud involving Tesco Clubcards, with many victims claiming that their online accounts have been hacked and their vouchers stolen.
In the past, common complaints have included Clubcard holders logging into their account, only to find hundreds of pounds of worth of vouchers have disappeared, or being told by customer service staff that their vouchers have been spent at a branch hundreds of miles away from their home.
In some cases, users have been unable to log into their accounts or told that the name on the account has been changed.
Tesco Clubcard crime spills out from the digital world into real life as well.
Just this week, for instance, a delivery driver who was supposed to have been disposing of unwanted Tesco Clubcard coupons was given a suspended jail sentence after being found guilty of stealing them, and spending over £5000 on the supermarket’s website.
It’s also probably appropriate to point out that Tesco hardly has an unblemished record when it comes to data security. In 2012, security expert Troy Hunt uncovered that the company was not following best practices when it came to securely storing users’ passwords and its website, and was probed by the UK’s Information Commissioner’s Office (ICO).
However, there is no indication at this time that this latest security breach is related to those issues.
If you’re a Tesco Clubcard holder, it may be sensible to keep as close an eye on your account balance as you do on your regular bank account – and report any unexpected activity to the supermarket’s customer service team.
I do wonder how much of the "leaked" usernames and passwords are as a result of phishing scams like this one http://myonlinesecurity.co.uk/special-reward-tesco-customers-phishing/