Tesco blocks 620,000 Clubcards after discovering a potential data breach

No computer system was hacked in the incident, according to the company

Tesco has blocked more than 620,000 Clubcards after a credential stuffing attack on its platform potentially exposing customer details.

The supermarket giant said it recently noticed some fraudulent activity on its website, wherein scammers tried out a database of usernames and passwords on its site. The database was likely stolen from another platform, but it may have worked in some cases, where customers used the same username and password, Tesco warned.

The scammer's main goal, the supermarket chain claims, was to redeem reward points that customers earn through the Clubcard loyalty scheme. Clubcard holders get one point for every pound they spend in the store. After collecting 100 points, customers receive a voucher worth £1. These vouchers usually expire within two years.

Our internal systems picked this up quickly and we immediately took steps to protect our customers and restrict access to their accounts

Tesco stressed that none of its systems were hacked in the security incident.

"Our internal systems picked this up quickly and we immediately took steps to protect our customers and restrict access to their accounts," a Tesco spokesperson said.

"At no point was any customer's financial data accessed."

The company said it has sent emails to all customers potentially affected by the attack, reassured them that they have not lost any Clubcard points and added that the company is issuing new Clubcards. Affected customers have also been advised to change their passwords as a precaution.

Many Clubcard holders complained about the security incident on social media.

"Somebody has hacked my Tesco Clubcard points. It's a mad world," Liam Wilson stated on Twitter.

Another customer, Max Gilbert, tweeted: "How the freak does someone commit fraud on a @Tesco clubcard."

Nearly 19 million people currently have a Clubcard account, according to BBC.

Tesco has asked customers with concerns over the incident to contact their customer services department.

This is however not the first security incident impacting Tesco customers.

In 2014, the company was forced to deactivate accounts of more than 2,000 customers after their login names and passwords were revealed by hackers.

In the security breach, hackers extracted usernames and passwords from non-Tesco websites and posted them on a text-sharing portal. The culprits then tested the stolen data against Tesco website in the hope that shoppers would use same user names and passwords for Tesco website as they do with other websites.