The names and passwords of 2,239 Clubcard loyalty card customers were published on a text-sharing website on 13 February, and were used to steal a small number of Tesco vouchers. The supermarket subsequently launched an “urgent” investigation into the incident, but believes the data was compiled by hackers taking the password-and-email details stolen from previous security breaches, trying them on the Tesco site, and getting 2,239 hits where the same credentials were used.
Tesco says it has closed all the accounts affected and informed the customers involved. It has also beefed up its security and now requires customers to use their unique Clubcard number to login. The supermarket emphasised that none of its own systems had been breached in the incident.
A company spokesperson told SCMagazineUK.com: “All of the accounts published have been deactivated. A handful of people had their accounts compromised - and really it's very few. Any vouchers or anything that was affected will be replaced.”
“Extra security measures have been put in place which mean it can't happen again. You now need to put in your Clubcard number too. This is not a cyber attack on Tesco systems, no Tesco systems have been compromised, it was other sites where the details were hacked, and from which they were applied to people's Clubcard accounts.”
But the leak has led to a flood of warnings for people not to take the easy option and re-use the same name, email and password across their different online accounts.
Charles Sweeney, CEO of Bloxx, said in an email: "Our natural instinct is to simplify and use the same password and username combination for everything. But this is very risky as attacks like these demonstrate. Whilst it might be convenient for you, it also makes it easier for hackers to steal your details from the multiple sites that you've signed up too.
“Companies obviously have duty of care to protect customer information, but customers also have a role to play in protecting themselves by not using the same password combinations or using passwords that are easy to second guess, like their address or birth date."
Damballa global technical consultant, Adrian Culley, warned there is a thriving trade in stolen personal details among cyber criminals.
“Known hashes (mathematical versions of passwords) and account names harvested from breaches are traded on numerous darknet sites, or un-indexed parts of the web,” he told SCMagazineUK.com.
Culley said that individuals need to strengthen their passwords as well as use multiple ones. “Consider using pass-phrases rather than passwords. Lower case, upper case, numbers, special symbols and the thinking of phrases rather than words will help you increase length and complexity whilst still being able to remember it.”
Culley also advised people to test the strength of their password via Google and other search engines. “Many search engines now provide ‘hash veils' as responses to searches. Try Googling your own password and either ‘MD5' or ‘SHA' (hash algorithms). If a search engine knows the hash of any password you use, you probably need to strengthen it.”
George Anderson, director of product marketing for Webroot, said of the hack: “In today's ‘always online' world, customers should make sure they've done anything they can to protect their data - and having a unique password is the place to start.
“Once they've done this, it really is down to the businesses storing data to make sure they add the necessary layers of defence to protect the information they are being trusted with. The only effective defence against cyber crime is a multi-layered one starting with the consumer and supported by the business.”
Trey Ford, global security strategist at Rapid7, added: “It's essential to learn the lesson from this incident before the cost becomes greater. We all know it's a pain to deal with multiple complex passwords across all the various sites and services we use, but there are solutions to help with that, encrypted password vaults like LastPass, 1Password, KeePassX and others.”
Last year, Tesco was a direct victim when hundreds of its customers had their Clubcard accounts hacked.