Both companies believe that details from a database of hacked passwords and usernames from other platforms have been used to access their websites. Given that people may use the same username/password combination on various sites, attackers may have been successful in some attempts.
Tesco has cancelled all affected vouchers as a precaution and asked affected customers to reset their passwords. Up to 640,000 Tesco customers may have been affected by the issue.
According to the company, no customer financial data was accessed. “We have strict security measures in place and our priority is protecting our customers,” said a Tesco spokesperson. “Our internal systems picked this up quickly and we immediately took steps to protect our customers and restrict access to their accounts.”
The retailer reiterated that the situation has been dealt with, but internal investigations are ongoing and affected customers are being contacted.
A similar issue of attackers trying to break into customers’ accounts has also impacted Boots, but on a much smaller scale. According to the pharmacy chain, less than 1% of its 14.4 million boots.com customers were affected.
According to Boots, its IT security staff noticed unusual login activity and points spending on boots.com on a number of Boots Advantage Card accounts, including attempts to access and spend points.
Because of that, Boots stopped payment for products using its loyalty card points online or in store, which also removes people’s ability to attempt to access any Boots accounts.
Stressing that the company's own database had not been compromised, a spokesperson for Boots said the suspension of payments using Boots Advantage Card points is temporary and that any points balance taken by attackers will be fully restored.
“We are writing to customers if we believe their account has been affected, and if their Boots Advantage Card points have been used fraudulently we will, of course, replace them,” said a Boots spokesperson.
“We currently believe that this will only affect a tiny percentage of cardholders and we would like to reassure customers that credit card information cannot be accessed. To help protect online accounts, we strongly recommend using different passwords for each site used.”
Max Heinemeyer, director of threat hunting at Darktrace, described this is a typical case of “credential stuffing”, in which hackers check previous data leaks containing stolen passwords uploaded on the dark web and reuse those credentials to sign into another online account belonging to the same user.
“Good password managers and multifactor authentication will help, but there is only so much the individual can do,” he said. “The responsibility lies with the organisations providing online services to ensure they have robust systems and cutting-edge defensive technologies to fight back when hackers do gain access to users’ accounts.”
Heinemeyer said AI is fighting back against hackers attempting to hijack individuals’ accounts “every single day”.
“Regardless of whether it is someone’s email or a social media account, if a hacker tries to log in from the US, say, at a slightly unusual time, when the owner of the account usually logs in from the UK, AI is now sophisticated enough that it can now stop that log in attempt from being successful,” he said.