150,000 Boots Advantage Card accounts affected by password stuffing

The company's IT team discovered "unusual activity" on numerous accounts

Boots was forced to suspend payments using its loyalty points system after discovering a potential security incident affecting 150,000 users of the drugstore chain’s loyalty programme.

A spokesperson for the company confirmed that they had contacted “a small number of our customers to tell them that we have seen fraudulent attempts to access boots.com accounts”.

“This was after our IT security team spotted unusual activity on a number of Boots Advantage Card accounts, including attempts to access and spend Boots Advantage Card points,” said a spokesperson for the company, who assured that the email and password details were not acquired from Boots. 

“As an extra precaution we have temporarily stopped payment by Boots Advantage Card points on boots.com or in store. This removes the ability for people to attempt to access any Boots accounts, but means that customers will not be able to use Boots Advantage Card points to pay for products in store and online for a short period of time.”

One in 20 Britons (14 million people) had signed up for the Boots’ Advantage Card system, meaning the as yet unknown perpetrators of the cyber attack could have breached the data of a large user base. Details of the cyber attack are thin, but Boots said the attackers had tried to spend customer Advantage points through the card loyalty system. 

The attack is an example of 'credential stuffing' or 'password stuffing' whereby usernames and passwords of other online services are acquired and then used to try and login to other services in the hope that the credential will have been reused. As such, the cyber attack was made against Boots, but did not involve compromising Boots' database or online service directly. 

The cyber attack follows two similar incidents from earlier this week, involving free railway station wi-fi provider C3UK and Tesco’s Clubcard loyalty system. Around 600,000 accounts were believed to be hacked using stolen username and password combinations from other sites as scammers attempted to redeem vouchers amassed by Tesco’s shoppers.

Estimates from price comparison site Money Guru claim that any data stolen from Clubcard holders could be being traded “in Dark Web marketplaces” for as little as £2.70, while the average Briton's entire online identity could be bought for "less than £750".

“People’s data is so cheap simply because it’s so easy to get hold of,” said Jake Moore, a cybersecurity specialist at ESET. “Personal information is breached on what seems like a weekly basis, and then quickly features on the dark web for sale.”

Moore added that there is a “need to help educate people to look after their own personal cyber security”. 

“It’s insane that people are still using the same three passwords across all online accounts, and once one or two are compromised, the third is usually guessable,” he said. “When data is stolen there’s very little we can do about it. What we can do, though, is to be on alert for phishing emails, implement 2FA where possible, and start making all passwords unique for all sites.” 

Featured Resources

Become a digital service provider

How to transform your business from network core to edge

Download now

Optimal business results with the cloud

Evaluating the best approaches to hybrid cloud adoption

Download now

Virtualisation that enables choices, not compromises

Harness the virtualisation technology that's right for your hybrid infrastructure

Download now

Email security threat report 2020

Four key trends from spear fishing to credentials theft

Download now

Recommended

Misconfigured Git servers lead to Nissan data leak
hacking

Misconfigured Git servers lead to Nissan data leak

7 Jan 2021
BackupAssist teams with Wasabi to offer cheaper backup for businesses
backup

BackupAssist teams with Wasabi to offer cheaper backup for businesses

6 Jan 2021
Data: A resource much too valuable to leave unprotected
Whitepaper

Data: A resource much too valuable to leave unprotected

2 Dec 2020
Webhose and Signal Corp boost data breach detection
Security

Webhose and Signal Corp boost data breach detection

7 Oct 2020

Most Popular

How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021
The fate of Parler exposes the reality of deregulated social media
Policy & legislation

The fate of Parler exposes the reality of deregulated social media

14 Jan 2021
Should IT departments to call time on WhatsApp?
communications

Should IT departments to call time on WhatsApp?

15 Jan 2021