150,000 Boots Advantage Card accounts affected by password stuffing

Boots was forced to suspend payments using its loyalty points system after discovering a potential security incident affecting 150,000 users of the drugstore chain’s loyalty programme.

A spokesperson for the company confirmed that they had contacted “a small number of our customers to tell them that we have seen fraudulent attempts to access boots.com accounts”.

“This was after our IT security team spotted unusual activity on a number of Boots Advantage Card accounts, including attempts to access and spend Boots Advantage Card points,” said a spokesperson for the company, who assured that the email and password details were not acquired from Boots.

“As an extra precaution we have temporarily stopped payment by Boots Advantage Card points on boots.com or in store. This removes the ability for people to attempt to access any Boots accounts, but means that customers will not be able to use Boots Advantage Card points to pay for products in store and online for a short period of time.”

One in 20 Britons (14 million people) had signed up for the Boots’ Advantage Card system, meaning the as yet unknown perpetrators of the cyber attack could have breached the data of a large user base. Details of the cyber attack are thin, but Boots said the attackers had tried to spend customer Advantage points through the card loyalty system.

The attack is an example of 'credential stuffing' or 'password stuffing' whereby usernames and passwords of other online services are acquired and then used to try and login to other services in the hope that the credential will have been reused. As such, the cyber attack was made against Boots, but did not involve compromising Boots' database or online service directly.

The cyber attack follows two similar incidents from earlier this week, involving free railway station wi-fi provider C3UK and Tesco’s Clubcard loyalty system. Around 600,000 accounts were believed to be hacked using stolen username and password combinations from other sites as scammers attempted to redeem vouchers amassed by Tesco’s shoppers.

Estimates from price comparison site Money Guru claim that any data stolen from Clubcard holders could be being traded “in Dark Web marketplaces” for as little as £2.70, while the average Briton's entire online identity could be bought for "less than £750".

“People’s data is so cheap simply because it’s so easy to get hold of,” said Jake Moore, a cybersecurity specialist at ESET. “Personal information is breached on what seems like a weekly basis, and then quickly features on the dark web for sale.”

Moore added that there is a “need to help educate people to look after their own personal cyber security”.

“It’s insane that people are still using the same three passwords across all online accounts, and once one or two are compromised, the third is usually guessable,” he said. “When data is stolen there’s very little we can do about it. What we can do, though, is to be on alert for phishing emails, implement 2FA where possible, and start making all passwords unique for all sites.”

Sabina Weston

Having only graduated from City University in 2019, Sabina has already demonstrated her abilities as a keen writer and effective journalist. Currently a content writer for Drapers, Sabina spent a number of years writing for ITPro, specialising in networking and telecommunications, as well as charting the efforts of technology companies to improve their inclusion and diversity strategies, a topic close to her heart.

Sabina has also held a number of editorial roles at Harper's Bazaar, Cube Collective, and HighClouds.