150,000 Boots Advantage Card accounts affected by password stuffing

The company's IT team discovered "unusual activity" on numerous accounts

Boots was forced to suspend payments using its loyalty points system after discovering a potential security incident affecting 150,000 users of the drugstore chain’s loyalty programme.

A spokesperson for the company confirmed that they had contacted “a small number of our customers to tell them that we have seen fraudulent attempts to access boots.com accounts”.

“This was after our IT security team spotted unusual activity on a number of Boots Advantage Card accounts, including attempts to access and spend Boots Advantage Card points,” said a spokesperson for the company, who assured that the email and password details were not acquired from Boots. 

“As an extra precaution we have temporarily stopped payment by Boots Advantage Card points on boots.com or in store. This removes the ability for people to attempt to access any Boots accounts, but means that customers will not be able to use Boots Advantage Card points to pay for products in store and online for a short period of time.”

One in 20 Britons (14 million people) had signed up for the Boots’ Advantage Card system, meaning the as yet unknown perpetrators of the cyber attack could have breached the data of a large user base. Details of the cyber attack are thin, but Boots said the attackers had tried to spend customer Advantage points through the card loyalty system. 

The attack is an example of 'credential stuffing' or 'password stuffing' whereby usernames and passwords of other online services are acquired and then used to try and login to other services in the hope that the credential will have been reused. As such, the cyber attack was made against Boots, but did not involve compromising Boots' database or online service directly. 

The cyber attack follows two similar incidents from earlier this week, involving free railway station wi-fi provider C3UK and Tesco’s Clubcard loyalty system. Around 600,000 accounts were believed to be hacked using stolen username and password combinations from other sites as scammers attempted to redeem vouchers amassed by Tesco’s shoppers.

Estimates from price comparison site Money Guru claim that any data stolen from Clubcard holders could be being traded “in Dark Web marketplaces” for as little as £2.70, while the average Briton's entire online identity could be bought for "less than £750".

“People’s data is so cheap simply because it’s so easy to get hold of,” said Jake Moore, a cybersecurity specialist at ESET. “Personal information is breached on what seems like a weekly basis, and then quickly features on the dark web for sale.”

Moore added that there is a “need to help educate people to look after their own personal cyber security”. 

“It’s insane that people are still using the same three passwords across all online accounts, and once one or two are compromised, the third is usually guessable,” he said. “When data is stolen there’s very little we can do about it. What we can do, though, is to be on alert for phishing emails, implement 2FA where possible, and start making all passwords unique for all sites.” 

Featured Resources

Shining light on new 'cool' cloud technologies and their drawbacks

IONOS Cloud Up! Summit, Cloud Technology Session with Russell Barley

Watch now

Build mobile and web apps faster

Three proven tips to accelerate modern app development

Free download

Reduce the carbon footprint of IT operations up to 88%

A carbon reduction opportunity

Free Download

Comparing serverless and server-based technologies

Determining the total cost of ownership

Free download

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021

Most Popular

What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
How to speed up Microsoft's Windows 11
Microsoft Windows

How to speed up Microsoft's Windows 11

9 Nov 2021
Nike to take customers into the metaverse with 'NIKELAND'
virtualisation

Nike to take customers into the metaverse with 'NIKELAND'

19 Nov 2021