News

Tesco.com deactivates accounts after hackers publish logon details

Warwick Ashford

Tesco.com has been forced to deactivate more than 2,000 accounts after hackers posted a list of usernames and passwords online.

Investigators believe the attackers tried credentials stolen from other sites on Tesco.com and were able to access 2,239 accounts, underlining the importance of using unique passwords for online accounts.

Tesco2.jpg

In January, Yahoo revealed that some Yahoo Mail accounts had been accessed by unknown attackers using passwords apparently stolen from third-party sources.

"We have contacted all customers who may have been affected and are committed to ensuring that none of them miss out as a result of this," Tesco said in a statement.

The supermarket group has also promised to issue replacement vouchers after some account holders reported that the attackers had cleaned them out, reports the BBC.

Trey Ford, global security strategist at security firm Rapid7, said the attack may not be limited to Tesco.com customers.

“Chances are the attackers have tried using the stolen credentials on other sites too and so we may see additional fallout,” he said.

Ford said initial indications are that Tesco itself was not breached. He said that, if this proves the case, those affected have no-one but themselves to blame.

“This is about consumer behaviour – people continue to re-use passwords and other credentials across multiple sites, making it easy for attackers to compromise them,” he said.

“It’s essential to learn the lesson from this incident before the cost becomes greater.”

Charles Sweeney, chief executive of security firm Bloxx, said companies obviously have a duty of care to protect customer information.

“But customers also have a role to play in protecting themselves by not using the same password combinations or using passwords that are easy to second guess, like their address or birthdate,” he said.

Ford said dealing with multiple complex passwords across various sites and services is a challenge, but encrypted password vaults like LastPass, 1Password, KeePassX can help.

Anyone concerned their accounts are at risk should create unique passwords for each online account and store them in a password vault, starting with their email password.

The latest data breach comes a year after attackers accessed hundreds of Tesco Clubcard accounts, but it also comes within days of Tesco revealing more than 1,000 customer email addresses, reports the Telegraph.

Tesco sent an email apologising for a pricing error, but all the recipients’ email addresses were visible to all the other recipients.

A Tesco spokesman said: "The security of our customer’s data is of the utmost importance to us, and we apologise sincerely to any of our customers who were affected. We are conducting a thorough review of our processes to ensure this never happens again."


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy