Tesco lose £64k in Clubcard vouchers to hackers
2,240 stolen email and password combinations for the Tesco site were posted online today.
At the time of writing, the cache of personal information was still publicly available on Pastebin, a site for sharing large amounts of text which is mainly used by programmers.
The passwords are accompanied by the value of vouchers in the accounts: £64,288.50 worth of Clubcard vouchers in all.
Tesco say they are "urgently investigating" the incident and will work to ensure that customers don't suffer financial loss as a result of the data breach.
The supermarket giant has suspended all of the accounts affected and contacted the account holders, though Tesco customers concerned that their details could be online can also check on the Have I Been Pwned? site.
Clubcard fraud strikes again
Concern that Tesco's Clubcard vouchers could be a magnet for online fraud have been growing in recent months.
A few weeks ago three men that spent £17,331 using stolen Clubcard vouchers were sentenced in court.
The men had no problem exchanging vouchers for thousands of pounds of Tesco shopping online and in store and were only caught when one man had a crisis of conscience and went to the police.
In other cases, Tesco customers have had their online accounts broken into and their vouchers downloaded and spent.
In today's case we're in the unique position of being able to see exactly how much has been taken from Tesco accounts, if the information posted is accurate and all the accounts listed were drained of reward points.
In all, the vouchers displayed in the cache (see image right, showing a sample of the data) are worth £64,288.50.
Most account holders were listed as only having a small amount in Clubcard vouchers in their accounts.
For example, of the 2,240 accounts exposed, 661 had between £10 and £20 in Clubcard vouchers.
Just 23 of the accounts had between £80 and £89 in Clubcard vouchers, although that means that if thieves have stolen the vouchers in these accounts they've made off with £1,921 from those 23 people alone.
Were Tesco hacked?
The list of Tesco log-ins on Pastebin looks as though it was taken straight from the Tesco site and even includes some messages from the page footers, like this somewhat ironic message:
However, investigators say that the data wasn't actually stolen from Tesco.
Instead, they say, attackers used data stolen from elsewhere to try thousands of email and password combinations on the Tesco site.
Today's list shows the combinations that worked and the outcomes, in Clubcard pounds, for the criminals.
Tesco security under fire
However, as security expert Troy Hunt points out in this lengthy post, which is well worth a read if you're interested in these issues, just because the Tesco site wasn't hacked it doesn't mean the supermarket couldn't have prevented the account breaches.
Mr Hunt points out a number of weak areas on the site which allowed criminals to try out thousands of emails and passwords.
For example, he points out, the Tesco system will let you try different wrong passwords with a single email over and over again without timing out and preventing log in.
This feature is a useful one for customers that are liable to forget their passwords and Tesco probably calculate that the increased risk of fraud is worth it for the business they keep by not annoying customers by making them change their passwords.
Today they have some extra figures to add into that calculation, however: £64,000 in stolen Clubcard vouchers and millions of Tesco customers left wondering whether their online accounts are secure.
Mr Hunt has previously warned that the Tesco site is insecure, going so far as to alert the Information Commissioner's Office (ICO) to serious problems in 2012.
The ICO, which is tasked with making sure businesses keep personal information they hold secure, launched an investigation into Tesco, though the results were never made public.