UK retailer Tesco has been forced to suspend 2,239 user accounts after a list of email addresses, passwords and Clubcard voucher balances was posted online.
The list of user details, dumped on a popular text sharing site on Tuesday evening, was at first thought to be fake until some Twitter users started testing username and password combinations, discovering that they did indeed work.
A small number of users also contacted the BBC, via email addresses published as part of the dump, to confirm that their accounts had been suspended.
The security breach does not appear to have come from Tesco’s end though. The supermarket giant said the data must have been compiled by taking user details obtained from breaches at other websites – presumably users who had reused email addresses and passwords across multiple accounts.
Though it is not known exactly where the customer details came from at this time, you don’t have to look very far to see examples of where the crooks could have got hold of at least some of the data.
In October Adobe admitted that cyber criminals had appropriated account details for 38 million of their customers.
Some Tesco.com users told the BBC that Clubcard vouchers they had earned had been stolen, though the amounts reported were quite small.
Tesco announced that it would offer replacement vouchers to all of those affected.
The company, which said that it is ‘urgently investigating’ the breach, spoke to the BBC:
We have contacted all customers who may have been affected and are committed to ensuring that none of them miss out as a result of this.
We will issue replacement vouchers to the very small number who are affected.
So let this serve as a timely reminder to use different, complex passwords for every account that you have online. Otherwise, once one is compromised, all of your accounts become vulnerable.
Also, be wary of any offers you may now receive for Clubcard or other types of supermarket vouchers – even if they aren’t stolen, they could be fake.