14 DAY TRIAL // On February 12, a file containing the email addresses, clear text passwords, and loyalty card balances of 2,239 customers of the supermarket giant Tesco were published by someone on Pastebin. The company has deactivated the accounts of impacted customers.
The company’s representatives have told the BBC that credentials haven’t been obtained from Tesco’s website. Instead, the cybercriminals took data leaked in older attacks and tried it out on Tesco’s site. They've been counting on the fact that many people use the same username/password combination for multiple online accounts.
The supermarket says that it’s replacing the vouchers of a “very small number” of affected customers.
Security expert Troy Hunt has some interesting theories on how the cybercriminals may have carried out this attack.
Even if Tesco’s databases have not been hacked, the company does a poor job in preventing cybercriminals from matching credentials stolen in other high-profile attacks with the ones of the supermarket’s customers.
For instance, the password recovery feature tells you if the email account you’re requesting the reset link to exists or not. This makes it easy for the attacker to determine if the email address is valid.
Furthermore, the website doesn’t have any protection against brute-force attacks, allowing hackers to try out a large number of passwords in a short period. All this can be done automatically, the attacker doesn’t have to manually try out the passwords one by one.
Another problem with Tesco’s security systems lies in password policies. Passwords must be between six and ten characters in length, and they “can” (not must) contain a mixture of letters and numbers.
“All of this dramatically decreases the character space of passwords which in turn dramatically increases the likelihood of an account being brute forced. This practice almost certainly played a part in the breach if brute force was indeed involved,” Hunt explained.
The Tesco data has been added by Hunt to the “Have I Been Pwned?” service. The expert says 15% of them have already been included in the haveibeenpwned.com database. In case you want to see if the Tesco breach impacts you, check out Have I Been Pwned?