Tesco Clubcard users whose online vouchers have been stolen should change their password immediately, after the supermarket giant revealed its explanation for a spate of fraud cases, following an investigation.
Tesco, which has 16 million Clubcard users, called in police last month to probe a breach after MoneySavingExpert.com revealed Clubcard vouchers were stolen from numerous online accounts. It promises to reissue all stolen vouchers.
The supermarket giant has admitted accounts were breached but insists its website was not hacked.
Instead, it says fraudsters accessed Clubcard accounts using the correct username and password, most probably sourced from somewhere else online, where customers have the same login details (see our Stop Scams, ID Fraud Protection and Free Anti-Virus Software guides to stay protected).
Tesco won't say how many customers fell victim, only that a "very small proportion" of Clubcard customers were hit. Yet even 1% would equate to 160,000. It says the police probe is ongoing.
When asked why Tesco suspects fraudsters stole login details from elsewhere, it would only say that "there is enough of a pattern to point to this".
Victims that Tesco has identified will receive an email today telling them to change their password. Their accounts have been blocked as a precaution.
Change your password
MoneySavingExpert.com news editor Guy Anker says: "MoneySavers love Tesco points and the scheme has millions of users, which is what makes this such a huge issue.
"Anyone affected should change their password immediately, not only on their Clubcard account, but on all other online accounts. Also check the rest of your Clubcard account details are correct.
"All other Tesco Clubcard customers, who even remotely suspect they may have fallen victim to this fraud, should also follow the steps above.
"Everyone should try to change passwords regularly, and ensure they are complex enough so they're difficult to guess. It's also wise to use different passwords for different accounts."
Many users reported last month that when logging into their Clubcard account they found hundreds of pounds worth of vouchers missing. Some were told by Tesco that vouchers were spent miles from their home.
Others victims were unable to log into their accounts, while some were told the name on their account had been changed.
Can I get vouchers back?
Tesco will automatically reissue Clubcard vouchers today where someone's account has been compromised, which you can use immediately.
If you think you were a victim but haven't had your vouchers recredited, get in touch with Tesco.
A Tesco spokeswoman says: "Our security systems have identified some irregular activity connected to a small proportion of Clubcard accounts. A full investigation is underway and we have referred this matter to the police.
"We believe the accounts were accessed using the correct username and password, but by someone other than the account holder. We are confident that this information did not come from any Tesco websites, and that our website security has not been breached.
"We have blocked affected customers' accounts until they change their passwords and written to them to remind them to use different passwords, to be as secure as possible online. We urge all our customers to follow this advice.
"We will ensure no customers lose out."