SecurityWorkspace

Tesco Customers’ Passwords Stolen And Posted Online

Michael Moore joined TechWeek Europe in January 2014 as a trainee before graduating to Reporter later that year. He covers a wide range of topics, including but not limited to mobile devices, wearable tech, the Internet of Things, and financial technology.

Follow on: Google +

Thousands of online customers have their accounts deactivated after user details were leaked and posted

Tesco has been forced to deactivate the online accounts of several thousand of its customers after details of their accounts were posted following a security breach of its website.

The company confirmed that over 2,000 customers had had their usernames and passwords stolen and posted on popular text-sharing site Pastebin yesterday.

The hackers are thought to have used data stolen in several other high-profile security attacks to access the Tesco site, focusing on customers using the same usernames and passwords for various websites. Overall, they were able to access details from  2,239 accounts and make off with their stored Clubcard vouchers.

Customers whose details were included on the list confirmed that their accounts had now been deactivated when contacted by the BBC.

Tesco store shop logo © JuliusKielaitis ShutterstockEasy targets

“We take the security of our customers’ data extremely seriously and are urgently investigating these claims,” a Tesco spokesperson said of the attack.

“We have contacted all customers who may have been affected and are committed to ensuring that none of them miss out as a result of this. We will issue replacement vouchers to the very small number who are affected.”

In a blog post, security researcher Troy Hunt outlined how the attackers could have accessed the data, stating that Tesco’s approach to security ‘provides numerous avenues for attackers to easily verify the existence of accounts and then establish their passwords’.

The Tesco website apparently has several shortcomings regarding security, allowing users multiple attempts at logging in to their account using the same email address. Hunt also revealed how the site allows access to password reset options with only an email address, meaning hackers could easily change a users’ password to access their account.

The attack is not the first time that Tesco customers have had their online accounts hacked by cyber-criminals. In February 2013 hundreds of Tesco Clubcard owners reported that their loyalty card accounts had been accessed and hundreds of pounds worth of vouchers stolen. The company has also encountered several security issues with its website, where an XSS flaw left customers at risk of having their accounts hijacked.

Earlier this month, Tesco accidentally revealed hundreds of customer email addresses as it attempted to apologise for a pricing error by including all recipients’ email addresses in the ‘to’ field.

It’s also not the first time Hunt has criticised the grocery giant. In 2012, he found that Tesco sent passwords to users in plain text potentially exposing them to third parties.

The hack is the latest to affect a major retail chain, with US store Target recently suffering a high-profile hack which saw 70 million of its users having their credit card details stolen.  The company has since looked to tighten up its security protocols, and also offered affected customers one year of free credit monitoring and identity theft protection.

Are you a security pro? Try our quiz!