UK supermarket giant Tesco is issuing 600,000 customers with new loyalty cards after some accounts were compromised by an unauthorized third party.
Although Tesco’s own IT systems were not compromised, it’s believed the hackers used a combo list of breached usernames and passwords sourced from elsewhere and conducted a brute force attack.
The supermarket also reassured customers that no financial details were taken.
“We are aware of some fraudulent activity around the redemption of a small proportion of our customers' Clubcard vouchers,” a Tesco spokesperson told the BBC.
“Our internal systems picked this up quickly and we immediately took steps to protect our customers and restrict access to their accounts.”
Chris Miller, regional director, UK & Ireland at RSA Security, argued that credential stuffing attacks are one of the biggest causes of data loss.
“From the end user’s perspective, it really is important not to use the same password for multiple accounts — especially between work and personal accounts. If there has been a data breach such as this, which involves a company they have an account with, they need to change the password not just on that account, but also any other account that uses the same one,” he added.
“After all, if attackers have tried to log into Tesco Clubcard with stolen credentials, in all likelihood they’ll be trying the credentials on other sites too. Finally, some sites and apps will offer two-stage authentication, asking for both a password and, for example, a code delivered to a mobile phone. It’s a good idea to tick this option, as it can offer an extra degree of security.”
According to Akamai, there were 28 billion credential stuffing attacks on e-commerce accounts from May to December of 2018, amounting to 115 million attempts to log-in each day.