Tesco has been forced to deactivate thousands of customers’ online accounts after their login names and passwords were plastered all over the Internet, in the latest twist of a sustained attack on Tesco.com.
The list of nearly 2,500 accounts was posted to a popular text-sharing site yesterday, with the supermarket giant claiming the data had been compiled by hackers using details stolen from other sites.
Password and email combinations seen in those large breaches were then tried on the Tesco site and resulted in 2,239 hits where the same credentials were used.
Tesco said it was “urgently investigating” the issue, however, only last month it claimed its systems were secure, despite fresh reports that customers’ Clubcard points had been stolen in the run-up to Christmas.
The Clubcard scam was first reported by DecisionMarketing nearly a year ago, when the retailer conducted a “thorough investigation”, that revealed no weakness nor any sign that its systems were compromised or breached.
“We have contacted all customers who may have been affected and are committed to ensuring that none of them miss out as a result of this,” Tesco said in a statement. “We will issue replacement vouchers to the very small number who are affected.”
Since introducing online Clubcard accounts in October 2012, all that was required to log in was an email address and a password. Since October, as an additional protection, Tesco requires account holders to include their Clubcard number.
Related stories
Clubcard gang sentenced for fraud
Clubcard theft ‘work of cyber gang’
Clubcard site hit by new hack attack
Tesco warns of Clubcard theft threat
Clubcard vouchers to go digital