Loyalty Cards Targeted in Tesco Clubcard Attack

tesco credential stuffing attack

Around 600,000 of the supermarket’s 12 million loyalty program members have been warned about a cyberattack.

U.K. supermarket giant Tesco is warning on a credential-stuffing attack that potentially affects 600,000 members of its Clubcard loyalty program.

It said that it detected cybercriminals trying out different name and password combos, gleaned from a database of stolen usernames and passwords for other services, on Clubcard accounts. The efforts were partially successful, it said, so out of an abundance of caution, it is replacing cards and requiring shoppers to set up new credentials.

“We are aware of some fraudulent activity around the redemption of a small proportion of our customers’ Clubcard vouchers,” a Tesco spokesperson told the BBC. “Our internal systems picked this up quickly and we immediately took steps to protect our customers and restrict access to their accounts.”

No financial data was exposed, Tesco added, and people’s loyalty points will remain unaffected. It notified those it thought could be affected:


There’s a growing underground market for loyalty program data. Hackers can sell the account’s credentials, or offer direct access to the accounts to people that go on to use the stored value, coupons, points and so on contained in them for themselves. Other rewards-point abuse often revolves around the ability to set up scams offering “discounted goods” that were actually purchased using stolen points.

Credential stuffing meanwhile is a go-to account takeover technique. It’s an automated, bot-driven process that takes advantage of the fact that users often reuse the same passwords across multiple online accounts. Credential-stuffing has been on the rise thanks to several large-scale credential dumps online, and several high-profile companies have fallen victim to it, including Dunkin Donuts, FC Barcelona and State Farm.

“Using leaked or stolen access credentials from data breaches, the bots will then hammer the sites with multiple login attempts until one of the combinations pans out,” security firm ESET noted in a recent posting.

One common recommendation is to implement multi- or two-factor authentication (MFA/2FA). “Facebook, Instagram and Twitter all offer several 2FA methods,” ESET noted. “The second authentication factor offers a valuable additional layer of protection in exchange for very little effort.”

Interested in security for the Internet of Things and how 5G will change the threat landscape? Join our free Threatpost webinar, “5G, the Olympics and Next-Gen Security Challenges,” as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. Register here.

Suggested articles