150,000 Boots Advantage Card accounts affected by password stuffing

The company's IT team discovered "unusual activity" on numerous accounts

Boots was forced to suspend payments using its loyalty points system after discovering a potential security incident affecting 150,000 users of the drugstore chain’s loyalty programme.

A spokesperson for the company confirmed that they had contacted “a small number of our customers to tell them that we have seen fraudulent attempts to access boots.com accounts”.

Advertisement - Article continues below

This was after our IT security team spotted unusual activity on a number of Boots Advantage Card accounts, including attempts to access and spend Boots Advantage Card points,” said a spokesperson for the company, who assured that the email and password details were not acquired from Boots. 

“As an extra precaution we have temporarily stopped payment by Boots Advantage Card points on boots.com or in store. This removes the ability for people to attempt to access any Boots accounts, but means that customers will not be able to use Boots Advantage Card points to pay for products in store and online for a short period of time.”

One in 20 Britons (14 million people) had signed up for the Boots’ Advantage Card system, meaning the as yet unknown perpetrators of the cyber attack could have breached the data of a large user base. Details of the cyber attack are thin, but Boots said the attackers had tried to spend customer Advantage points through the card loyalty system. 

Advertisement - Article continues below
Advertisement - Article continues below

The attack is an example of 'credential stuffing' or 'password stuffing' whereby usernames and passwords of other online services are acquired and then used to try and login to other services in the hope that the credential will have been reused. As such, the cyber attack was made against Boots, but did not involve compromising Boots' database or online service directly. 

The cyber attack follows two similar incidents from earlier this week, involving free railway station wi-fi provider C3UK and Tesco’s Clubcard loyalty system. Around 600,000 accounts were believed to be hacked using stolen username and password combinations from other sites as scammers attempted to redeem vouchers amassed by Tesco’s shoppers.

Estimates from price comparison site Money Guru claim that any data stolen from Clubcard holders could be being traded “in Dark Web marketplaces” for as little as £2.70, while the average Briton's entire online identity could be bought for "less than £750".

Advertisement - Article continues below

“People’s data is so cheap simply because it’s so easy to get hold of,” said Jake Moore, a cybersecurity specialist at ESET. “Personal information is breached on what seems like a weekly basis, and then quickly features on the dark web for sale.”

Moore added that there is a “need to help educate people to look after their own personal cyber security”. 

“It’s insane that people are still using the same three passwords across all online accounts, and once one or two are compromised, the third is usually guessable,” he said. “When data is stolen there’s very little we can do about it. What we can do, though, is to be on alert for phishing emails, implement 2FA where possible, and start making all passwords unique for all sites.” 

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now


General Data Protection Regulation (GDPR)

ICO to relax GDPR enforcement during coronavirus economic downturn

16 Apr 2020

The NHS teams up with Apple and Google on coronavirus tracking app

14 Apr 2020
data protection

Health sites are 'unlawfully' sharing medical data with Facebook and Google

7 Apr 2020
data protection

Supreme Court rules Morrisons was not liable for 2014 data breach

1 Apr 2020

Most Popular


Ransomware collective claims to have hacked NASA IT contractor

3 Jun 2020

The UK looks to Japan and South Korea for 5G equipment

4 Jun 2020

How data science is transforming business

29 May 2020