Boots yanks loyalty card payouts after 150K accounts get stuffed

Boots, a UK pharmacy chain, has suspended payments on the loyalty cards of 14.4 million active customers after its security team spotted “unusual” activity on a number of Boots Advantage Card accounts.

It wasn’t hacked, the company said in a statement, and this isn’t what you’d classify as a breach. Intruders didn’t get into its systems during the attack, Boots said on Thursday. Nonetheless, for the time being, it’s suspended payments made with the loyalty points cards.

This wasn’t our fault, the company said in its statement:

We would like to reassure our customers that these details were not obtained from Boots.

If Boots wasn’t hacked, then where did crooks get the credentials that they’ve evidently used to try to get into people’s Advantage Card accounts so they can make fraudulent purchases on what we refer to in the States as “somebody else’s dime?”

(Or, in this case, on somebody else’s penny: The loyalty cards award shoppers with four points for every £1 they spend. One point will get you one penny’s worth of spending power, so if your card has a balance of, say, 199 points, you could use it to buy something that costs £1.99 at a store or online at… which, of course, means that anybody who gets access to your account can do the same, regardless of where they’re located. That’s why Boots shut down the program, so nobody can shop with points at either stores or online.)

Boots suggests that the suspicious activity spotted in customers’ accounts is coming from crooks trying to get at their accounts by using credentials that were exposed in some other breach – credentials that those customers have used, reused, re-reused and re-re-re-diculously refused to let go of.

It’s called credential stuffing. Sticking (reused!) passwords into every online place you can think of is a simple way to get into somebody else’s account without permission: just go online and look for lists of breached credentials, often available for sale or for free, then try them out until you hit the jackpot. Or the pennies on people’s loyalty cards, as the case may be.

In its statement, Boots said that a) it’s letting a small number of affected customers know, and b) this wouldn’t happen if people used unique credentials – because yes, using a password twice (or more, of course!) is really, truly a lousy idea.

We can confirm we are writing to a small number of our customers to tell them that we have seen fraudulent attempts to access accounts. These attempts can be successful if people use the same email and password details on multiple accounts.

We would like to reassure our customers that these details were not obtained from Boots. We are aware that other organisations may be impacted too.

As an extra precaution we have temporarily stopped payment by Boots Advantage Card points on or in store. This removes the ability for people to attempt to access any Boots accounts, but means that customers will not be able to use Boots Advantage Card points to pay for products in store and online for a short period of time.

A spokeswoman for Boots told the BBC that the breach affected less than 1% of the company’s 14.4 million active Advantage Cards – fewer than 150,000 people. That number’s hazy as yet, given that the company’s investigation is still ongoing.

After the investigation does reach a final number, and if the final number of affected accounts turns out to be anywhere near the small percentage Boots is now estimating, it will mean that millions of customers have been locked out of their loyalty points due to a tiny minority who haven’t made it a priority to protect their online accounts.

Who can blame them? We know it’s hard to come up with strong, unique passwords. Or to keep track of them if you do.

Oh, wait, scratch that – it’s not!

Earn “Loyalty to Security” points!

Want to earn Loyalty to Security points? …Which will buy Better Security For All Of Us Who Get Locked Out of Our Accounts Due to Password Reusers? Take these simple steps:

Pick strong passwords. Watch our video to find out how to come up with a brute:

(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)

Say “Yes, please!” to 2FA. If a website gives you the option of using two-factor authentication (2FA or MFA), take them up on it. Here’s an informative podcast that tells you all about 2FA, if you’d like to learn more:


(Audio player above not working? Download MP3 or listen on Soundcloud.)

Use a password manager. We know they’re not perfect, but we still highly recommend using one: the advantages of using one outweigh the security imperfections that have cropped up and which, at any rate, get taken care of in updates.

Don’t dismiss accounts that “don’t matter.”
Boots’ shutdown of its Advantage Card shows that there really isn’t such a thing as a “low-value” account. The crooks don’t care how much you value a given account: if it’s easily hackable, they’ll take advantage of it, and everybody will suffer when a company has to shut down a popular program and launch an investigation.

In cybersecurity, if you aren’t part of the solution, you’re part of the problem. Please, make sure to lock down all your accounts, lest you ruin it for everybody else.

Latest Naked Security podcast


Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.