Tesco is issuing new cards to 600,000 Clubcard account holders after unearthing a security issue

61
Posted 2nd Mar
Got a genuine email from Clubcard yesterday stating that an attempt had been made to access my Clubcard account and remove the vouchers. The account has been secured and a new account number/password will be issued. All points and vouchers will be transferred to the new account within 5 days. Just had a chat with CC customer Services who had very little info apart from a lot of people had been calling today and that the beach was from external database hijack.
Just wondering if anyone else has had this?
Community Updates
Lead deal editor
Bit more info below, i've also updated title.

Tesco is issuing new cards to 600,000 Clubcard account holders after unearthing a security issue.

The supermarket giant said it believed a database of stolen usernames and passwords from other platforms had been tried out on its websites, and may have worked in some cases.

No financial data was accessed and its systems have not been hacked, it added.

It said this was a precautionary measure and apologised for the inconvenience.

"We are aware of some fraudulent activity around the redemption of a small proportion of our customers' Clubcard vouchers," a Tesco spokesperson said.

"Our internal systems picked this up quickly and we immediately took steps to protect our customers and restrict access to their accounts."

The supermarket said it had emailed everybody potentially affected, that nobody would lose their points and new vouchers would also be issued.


Full Story / Source

Groups

61 Comments
Signed into general tesco account yesterday and was told account was locked and I needed to change password. Have done that but nothing to protect as I spent my vouchers last week.
Tesco have issued a warning to 600,000 customers over a "security issue": bbc.co.uk/new…687
Kind of answering my own question, BBC started reporting it an hour ago. bbc.co.uk/new…687
What is worrying is that to access your Clubcard vouchers you need to know 3 digits from the Clubcard number as well as the user/email address and password. I asked Clubcard agent that question but not known.
Completely unrelated but a few years back I lost my clubcard after moving address. I couldn't change my address without those 3 digits from my clubcard and I couldn't do that without a new clubcard. However I couldn't get a new clubcard because I had moved and they wanted to send it to my old address. Catch 22 :/

I just got a new clubcard account in the end lol.
Edited by: "Maverick77" 2nd Mar
airbus33002/03/2020 17:55

Kind of answering my own question, BBC started reporting it an hour ago. …Kind of answering my own question, BBC started reporting it an hour ago. https://www.bbc.co.uk/news/technology-51710687What is worrying is that to access your Clubcard vouchers you need to know 3 digits from the Clubcard number as well as the user/email address and password. I asked Clubcard agent that question but not known.


Maybe you didn’t know that a few years ago hacker or maybe staff were stealing millions of pounds worth of vouchers.
Exact same email.
Misslovely02/03/2020 22:11

Maybe you didn’t know that a few years ago hacker or maybe staff were s …Maybe you didn’t know that a few years ago hacker or maybe staff were stealing millions of pounds worth of vouchers.


I didn't, pretty grim
I use a unique password for every site, so how would an ''external database hijack'' compromise my Tesco account? Any password linked to my email will be incorrect. Also, why haven't they got a 2 factor authentication option?
bo0td02/03/2020 23:42

I use a unique password for every site, so how would an ''external …I use a unique password for every site, so how would an ''external database hijack'' compromise my Tesco account? Any password linked to my email will be incorrect. Also, why haven't they got a 2 factor authentication option?


It wouldn't be. Clubcard wasn't hacked, it was cracked. Credential stuffing attacks happen on lots of sites. It's what happens when people use same password for everything.
correct
At least they have been honest about it unlike Morrisons and their More Card which I had a load of vouchers taken and used 150 miles away and was then sent a standard template email on internet security.
thisismoney.co.uk/mon…tml
Edited by: "skybluesccfc" 3rd Mar
bo0td02/03/2020 23:42

I use a unique password for every site, so how would an ''external …I use a unique password for every site, so how would an ''external database hijack'' compromise my Tesco account? Any password linked to my email will be incorrect. Also, why haven't they got a 2 factor authentication option?


they do - you need to enter 3 random digits from your clubcard number
bo0td02/03/2020 23:42

I use a unique password for every site, so how would an ''external …I use a unique password for every site, so how would an ''external database hijack'' compromise my Tesco account? Any password linked to my email will be incorrect. Also, why haven't they got a 2 factor authentication option?


How do you remember all of them?
jinkssick03/03/2020 10:56

How do you remember all of them?


Most people can't, I guess thats the point, you have to have the card or a copy of the number as well as the Username/password. Hence 2 factor in a primative way.
jinkssick03/03/2020 10:56

How do you remember all of them?


Use a password manager, like Keepass which is free. All you need to remember is one very secure password to open the database, then you copy and paste username/passwords from it.
skybluesccfc03/03/2020 10:36

At least they have been honest about unlike Morrisons and their More Card …At least they have been honest about unlike Morrisons and their More Card which I had a load of vouchers taken and used 150 miles away and was then sent a standard template email on internet security.https://www.thisismoney.co.uk/money/bills/article-7706955/Morrisons-customers-card-loyalty-points-vanish.html


If there was no breach of their system, internet security advice is all they *can* do. It's very common for leaked email addresses/passwords to be tried on completely different sites and it's not the fault of those sites nor they can do anything about it.

Apart from 2-Factor Authentication, but it's still nowhere near ubiqiutous and often impractical.
Im more annoyed hotels.com has gone from clubcard boost!
sure i had about a million clubcard points
Keep all passwords dramatically different and even better generate random numbers, letters and capitals. Have two step enabled on everything also.
EndemicAlarm03/03/2020 11:16

Use a password manager, like Keepass which is free. All you need to …Use a password manager, like Keepass which is free. All you need to remember is one very secure password to open the database, then you copy and paste username/passwords from it.


Even better if you use an iPhone, use Apple Keychain. Its seamless, generated passwords for you and stores them all locally unless you back up your device or use iCloud which then syncs them all to other devices, this does get stored with Apple.
malhal03/03/2020 12:37

Im more annoyed hotels.com has gone from clubcard boost!


That is annoying I have already used mine. its annoying you cant use the voucher against hotel fee's
jamie1503/03/2020 07:54

Clubcard wasn't hacked, it was cracked. Credential stuffing attacks happen …Clubcard wasn't hacked, it was cracked. Credential stuffing attacks happen on lots of sites.



Generation X-er here. Could you explain that in laymans terms please? Thank you

Edit: been done below.
Edited by: "Hacked" 3rd Mar
andyatkinson03/03/2020 13:06

That is annoying I have already used mine. its annoying you cant use the …That is annoying I have already used mine. its annoying you cant use the voucher against hotel fee's


That didn’t bother me given how massive the saving was already. I used it for literally every hotel booking in the last three years
malhal03/03/2020 12:37

Im more annoyed hotels.com has gone from clubcard boost!


Did'nt know that either! What a pain. Did anything replace it for hotels
Hacked03/03/2020 13:07

Generation X-er here. Could you explain that in laymans terms please? …Generation X-er here. Could you explain that in laymans terms please? Thank you


It's what I said above.

Credential stuffing is a type of cyberattack where stolen account credentials typically consisting of lists of usernames and/or email addresses and the corresponding passwords (often from a data breach) are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application.

...

Credential stuffing attacks are possible because many users reuse the same username/password combination across multiple sites, with one survey reporting that 81% of users have reused a password across two or more sites and 25% of users use the same password across a majority of their accounts.

en.wikipedia.org/wik…ing
malhal03/03/2020 12:37

Im more annoyed hotels.com has gone from clubcard boost!


Didn't realise that! That's all I ever used my vouchers for. Thanks for the heads up.
EndemicAlarm03/03/2020 13:26

It's what I said above.Credential stuffing is a type of cyberattack where …It's what I said above.Credential stuffing is a type of cyberattack where stolen account credentials typically consisting of lists of usernames and/or email addresses and the corresponding passwords (often from a data breach) are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application....Credential stuffing attacks are possible because many users reuse the same username/password combination across multiple sites, with one survey reporting that 81% of users have reused a password across two or more sites and 25% of users use the same password across a majority of their accounts.https://en.wikipedia.org/wiki/Credential_stuffing


Thank you
I purchased a Merlin pass code from gumtree and now I've seen this worried it's been stolen and I've put my name and details to it.
Hacked03/03/2020 13:07

Generation X-er here. Could you explain that in laymans terms please? …Generation X-er here. Could you explain that in laymans terms please? Thank you :)Edit: been done below.


I know it's been explained below but to put it simply, use unique passwords across sites and this won't happen. Use a password manager and you only have to remember one password, everything else can be made unique.
Edited by: "jamie15" 3rd Mar
JonBetts200403/03/2020 13:48

Didn't realise that! That's all I ever used my vouchers for. Thanks for …Didn't realise that! That's all I ever used my vouchers for. Thanks for the heads up.



I just heard it is a technical issue apparently so hopefully will return. Sadly I had to book some hotels without 66% off, awful paying full price
EndemicAlarm03/03/2020 11:22

If there was no breach of their system, internet security advice is all …If there was no breach of their system, internet security advice is all they *can* do. It's very common for leaked email addresses/passwords to be tried on completely different sites and it's not the fault of those sites nor they can do anything about it.Apart from 2-Factor Authentication, but it's still nowhere near ubiqiutous and often impractical.


People don't understand that if you add 2FA you can kiss goodbye to the older generation wanting to use said products
Gumbon03/03/2020 15:26

People don't understand that if you add 2FA you can kiss goodbye to the …People don't understand that if you add 2FA you can kiss goodbye to the older generation wanting to use said products


I think there is some truth in that. My personal hate is the range of 2fa. Each provider with a slightly different method. If the IT and Financial services industries could agree a standard that everyone used and was Senior friendly, it would help a lot. This is true for myself, I KNOW I need to get a password manager, but they are all different, some are free, which is secure, which will be around in 10 years? So I sit back and do nothing, to the fraudsters delight!
airbus33003/03/2020 15:43

I think there is some truth in that. My personal hate is the range of 2fa. …I think there is some truth in that. My personal hate is the range of 2fa. Each provider with a slightly different method. If the IT and Financial services industries could agree a standard that everyone used and was Senior friendly, it would help a lot. This is true for myself, I KNOW I need to get a password manager, but they are all different, some are free, which is secure, which will be around in 10 years? So I sit back and do nothing, to the fraudsters delight!


There are only 3 types 2FA commonly used as far as I know: SMS, email, and time based (using an Authenticator app). Time based is the most secure.

Regarding password managers, if one closes down it's likely they will let you export your data. LastPass and Dashlane both have free plans - LastPass stores unlimited passwords but are trusted less than Dashlane. Dashlane allow maximum of 50 passwords on free plan.
Edited by: "jamie15" 3rd Mar
davidoff8603/03/2020 10:55

they do - you need to enter 3 random digits from your clubcard number


So how did they enter my account? I use a unique password, and my Clubcard is in my wallet.
bo0td03/03/2020 16:00

So how did they enter my account? I use a unique password, and my Clubcard …So how did they enter my account? I use a unique password, and my Clubcard is in my wallet.


Is the password on your email address unique? Are you sure the password is unique? Have you received any emails from Clubcard lately where you have clicked through the email and signed in?
All of my passwords are unique, and everything that allows 2FA has it. Even if someone has my password manager password, they'd need a 2FA code. Even if they had that, I'd know that they had logged in to the account, as I get notified. Same thing with my email account. I never click links. I go directly to the site.
airbus33003/03/2020 15:43

I think there is some truth in that. My personal hate is the range of 2fa. …I think there is some truth in that. My personal hate is the range of 2fa. Each provider with a slightly different method. If the IT and Financial services industries could agree a standard that everyone used and was Senior friendly, it would help a lot. This is true for myself, I KNOW I need to get a password manager, but they are all different, some are free, which is secure, which will be around in 10 years? So I sit back and do nothing, to the fraudsters delight!


Another thing people don't understand is ''why don't they just add 2FA''

Think of Tesco Servers or Barclays Bank systems like it's and Iphone 5 or a Nexus 4, Sorry you can't install this app on Android 4.0, you need to update.

The systems are often to old to work with new technologies, obvcourse this is not completly the case but it gives a good idea on it, companies will try to implement things but have issues with it breaking functionality, fixing issues can be very costly and can just get scrapped.
I got a text message informing me they where replacing my card, I never gave it a second thought as it's the 3rd time in 6 months...
I thought it was something to do with all the micro-transactions I do (curse that vending machine in work!). When I tried it in a store I had to use my pin as the contactless was denied (I've got over the embarresment that causes - I guess I should point that out to Tesco though!)
Post a comment
Avatar
@
    Text

    Discussions

    Discussions

    Top Merchants