Tesco.com has been forced to deactivate more than 2,000 accounts after hackers posted a list of usernames and passwords online.
Investigators believe the attackers tried credentials stolen from other sites on Tesco.com and were able to access 2,239 accounts, underlining the importance of using unique passwords for online accounts.
In January, Yahoo revealed that some Yahoo Mail accounts had been accessed by unknown attackers using passwords apparently stolen from third-party sources.
"We have contacted all customers who may have been affected and are committed to ensuring that none of them miss out as a result of this," Tesco said in a statement.
The supermarket group has also promised to issue replacement vouchers after some account holders reported that the attackers had cleaned them out, reports the BBC.
Trey Ford, global security strategist at security firm Rapid7, said the attack may not be limited to Tesco.com customers.
“Chances are the attackers have tried using the stolen credentials on other sites too and so we may see additional fallout,” he said.
Read more about passwords
- Do not overlook the weak link in IT security
- Will a password-strength meter lead to stronger passwords?
- PayPal CISO hopes FIDO Alliance can help replace weak passwords
- Password-based authentication: A weak link in cloud authentication
- Millions of internet users trust weak passwords, research reveals
- Intel lends a hand eliminating passwords
- Internet scan finds thousands of device flaws, system weaknesses
- Verizon data breach report shows weak passwords at root of 2011 data breaches
- Remote administration software weaknesses plague businesses
- IT industry group releases password-killing standard
- Password security best practices: Change passwords to passphrases
- Password compliance and password management for PCI DSS
- Internet users prefer weak passwords
Ford said initial indications are that Tesco itself was not breached. He said that, if this proves the case, those affected have no-one but themselves to blame.
“This is about consumer behaviour – people continue to re-use passwords and other credentials across multiple sites, making it easy for attackers to compromise them,” he said.
“It’s essential to learn the lesson from this incident before the cost becomes greater.”
Charles Sweeney, chief executive of security firm Bloxx, said companies obviously have a duty of care to protect customer information.
“But customers also have a role to play in protecting themselves by not using the same password combinations or using passwords that are easy to second guess, like their address or birthdate,” he said.
Ford said dealing with multiple complex passwords across various sites and services is a challenge, but encrypted password vaults like LastPass, 1Password, KeePassX can help.
Anyone concerned their accounts are at risk should create unique passwords for each online account and store them in a password vault, starting with their email password.
The latest data breach comes a year after attackers accessed hundreds of Tesco Clubcard accounts, but it also comes within days of Tesco revealing more than 1,000 customer email addresses, reports the Telegraph.
Tesco sent an email apologising for a pricing error, but all the recipients’ email addresses were visible to all the other recipients.
A Tesco spokesman said: "The security of our customer’s data is of the utmost importance to us, and we apologise sincerely to any of our customers who were affected. We are conducting a thorough review of our processes to ensure this never happens again."