The BBC reports the official line from Tesco: "The supermarket giant said the data had been compiled by hackers using details stolen from other sites." This theory suggests that emails and passwords were collected from other breach dumps and then tested against Tesco – ultimately finding 2,239 Tesco accounts using the same credentials.
The report then adds that the BBC contacted a few of the users using the email addresses in the list and were told that the credentials were correct, and that Tesco had deactivated the accounts. There is no indication of any monetary loss to the users concerned, but Tesco said, "We have contacted all customers who may have been affected and are committed to ensuring that none of them miss out as a result of this."
One dissenting voice comes from Troy Hunt. While accepting that the official line could be accurate, he proposes a number of alternative scenarios based on Tesco's security practices. Hunt first raised concerns about the company in 2012 when he tweeted about Tesco's habit of sending users their passwords by email in plaintext. Apart from the vulnerability of the emails, it means that at that time Tesco was keeping a plaintext copy of the passwords rather than a hashed copy.
In a report published this morning, Hunt demonstrates how it would be feasible for hackers to gain the credentials directly from Tesco. Firstly, if you know an email address, you can ascertain whether it has an associated Tesco account by entering any password that fails. When it fails, the user gets a 'forgotten password?' link. That link will tell you if the email address is invalid – if not, it is valid.
Hunt also notes that although the log-on form says "there is a limit to the number of times incorrect details can be entered before your account is locked," this isn't strictly enforced. Hunt tested 20 consecutive false passwords on his own account without being locked out. His contention is that this, coupled with an enforced weak password policy (between 6 and 10 characters comprising only lower case letters and numbers) ensures that Tesco credentials are eminently brute-forceable.
Security researcher Robin Wood, who developed a password analysis tool called pipal, has analyzed the pastebin dump. He found that 25% of the passwords are of the minimum 6 character length, while only one in ten uses the full ten characters. The most popular passwords are names: charlie, sophie, elizabeth, barney... "Seriously, how long do you think it’s going to take to brute force those?!" asks Hunt. And Wood supports him. "The passwords were simple and Troy's assessment does seem valid," he told Infosecurity.
It is important that we discover the truth behind this issue. If Tesco's assertion is correct, then it is the users' fault for reusing the same password across multiple accounts; and not Tesco's fault. But if Hunt is correct, then poor security procedures operated by Tesco are to blame. The reality, however, is that if Hunt's analysis of those procedures is correct, they need to be improved regardless.