Tesco blocks 620,000 Clubcard accounts after security scare

Using unique passwords can curb credential stuffing attacks.

Graham Cluley @gcluley

Tesco

Over 600,000 Tesco Clubcard owners are being sent new cards after the supermarket giant determined hackers had attempted to access accounts.

In an email sent to affected Clubcard users, Tesco said it had spotted fraudulent activity related to some customers’ Clubcard vouchers.

As a precaution, Tesco has locked customers’ accounts and Clubcard vouchers. The retailer, which says that no customer financial information was accessed, believes that hackers may have attempted to break into accounts by using a database of usernames and passwords stolen from a different site.

Tesco email

It appears that Tesco Clubcard customers have fallen victim to what’s known as a “credential stuffing” attack. This is where a malicious attacker attempts to log into accounts without permission, using usernames and passwords that have leaked from data breaches that have happened in the past on unrelated websites.

Such attacks will, of course, be unsuccessful if users have been careful not to reuse the same password on different websites. Unfortunately, far too many people do still recycle the same passwords – rather than use a strong, hard-to-crack, unique password generated by a password manager.

New Clubcards are expected to arrive by March 16 2020. In an FAQ, Tesco is advising that once replacement cards have been delivered, old cards should be “securely destroyed”, and has reassured customers that “no one will lose the value of any of their Clubcard vouchers or points.”

This isn’t the first time Tesco Clubcard owners have found themselves rocked by a security scare.

Back in 2014, a database of over 2000 Clubcard usernames and passwords were published on the internet. Again, the data is thought to have been collected from other unrelated data breaches – rather than a hack at Tesco itself – underlining the importance of never using the same password on different sites.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.