Thousands of customers who frequent the supermarket website Tesco.com may have had a rude awakening, with the news that their user credentials were openly published on Pastebin by an unknown source.
UK supermarket giant Tesco believes the hackers may have gained access to the usernames and passwords of those affected on separate websites, and then attempted to try the same login on their site. All in all around 2,200 accounts were compromised, and as of the writing of this report 95% of those have been restored to their original owners.
“We have contacted all customers who may have been affected and are committed to ensuring that none of them miss out as a result of this,” Tesco said in a statement. We will issue replacement vouchers to the very small number who are affected.”
Much like the Adobe/Facebook crossover breach, the company has actively had to go out of their way to warn its users they should never use the same password across multiple accounts, as it only heightens the risk and creates an unnecessary loophole for hackers to easily exploit without any extra legwork.
“The attackers seem to have picked up usernames and passwords that were leaked after breaches of other, potentially unrelated organisations, and by trying them on Tesco’s site, they were able to compromise 2,239 Tesco.com customer accounts. So far the information available indicates that the impact of this has been relatively limited – stolen vouchers – but if attackers have tried this on Tesco.com, the chances are they are also trying it on other sites too and so we may see additional fallout.”
This is not the first time the chain has faced scrutiny over its security practices, as the same time last year they were investigated by local police after attackers were able to steal the Clubcard vouchers of nearly two dozen customers and use them freely without repercussion.