TESCO thousands shopping account credentials leaked online

Pierluigi Paganini February 15, 2014

Thousands of Tesco.com shopping accounts were suspended after hackers have leaked users details including credentials and Tesco Clubcard vouchers.

Tesco has recently confirmed to have suffered a data breach, the cybercriminals have hit the company on Valentine’s Day compromising the account of thousands of online clients.

“We take the security of our customers’ data extremely seriously and are urgently investigating these claims.”
 “We have contacted all customers who may have been affected and are committed to ensuring that none of them miss out as a result of this. We will issue replacement vouchers to the very small numbers who are affected.” said a Tesco spokesperson. 

The news was reported by The Guardian, the hackers obtained login credentials for thousands of accounts that have been deactivated by the Tesco in response to the incident. This isn’t the first time when Tesco suffers a data breach, in 2013 hundreds of Tesco Clubcard users found their online accounts had been compromised.

“It was suggested at the time that the Clubcard hacks were also caused by account holders using the same username and password combination on other compromised sites and services.” reported the Guardian.

Attackers hit the Tesco.com website and a list of over 2,240 shopping accounts was posted online on the Pastebin by unknown hackers.

tesco hacked

  The list reports online shopping accounts, personal details and includes also Tesco Clubcard vouchers.  It is still not clear how the hackers obtained the data published on pastebin, some experts hyphotisized that the data resulted as collection from other data breach and the cyber criminals used the same credentials also to access on the Tesco shopping portal with success. Is confirmed the wrong habit to share credentials over different services has caused the exposure also for Tesco accounts. The security expert Troy Hunt, who previously criticized Tesco for sending passwords in plain text via email, commented on is blog the incident with following statements:

“What would concern me if I was in Tesco’s shoes is that clearly someone has a workable attack vector that’s exploiting their accounts. Whether they’re brute forcing accounts one by one or simply testing for reused credentials from other breaches, the fact remains that accounts have been compromised en masse. I would not for a moment assume that the extent of the damage is only a couple of thousand accounts, that’s almost certainly only the tip of the iceberg. Many of the serious security problems that Tesco had in mid-2012 remain both in terms of discrete risks I called out (such as password strength), and as a cultural approach to security in general. There are still numerous easily observable risks discoverable simply by browsing the website, who knows what might lie beneath that and is readily discoverable with a little probing.”

The recent incidents to US retailers Target and Neiman Marcus demonstrated how  much danger a data breach could be in the business of company and for its reputation. Who will acquire again on Tesco.com? The user must be informed of the risks related to an attack of e-commerce platforms and they need to be informed on the mitigation technique adopted by retailers and online shopping portals to protect their customers.

Pierluigi Paganini

(Security Affairs –  Tesco, databreach)

you might also like

leave a comment