Credential-stuffing attack affected up to 150,000 Boots loyalty accounts

Health and beauty products retailer Boots recently suspended the use of Advantage loyalty cards after a credential-stuffing attack by hackers using stolen passwords affected up to 150,000 loyalty accounts.

The Advantage Card payment is a loyalty programme where customers can earn 4 points for every £1 spent at Boots stores or website. After a recent attempt by hackers to illegally gain access to hundreds of thousands of loyalty accounts, Boots put a temporary halt to their Advantage Card payment options.

A spokeswoman for Boots told the BBC that their own systems were not affected even though the cyber attack impacted up to 150,000 Advantage Card users. The company has however confirmed that no credit card information was accessed.

Commenting on the suspension of Advantage Card payments, a Boots spokeswoman told BBC that this measure was taken to deal with the situation and stop any unauthorised usage of these loyalty points by the hackers. While customers can’t use their advantage card to make payments, they can still earn the loyalty points till the payment option is up and running.

"Our customers' safety and security online are very important to us. We can confirm we are writing to a small number of our customers to tell them that we have seen fraudulent attempts to access boots.com accounts,” said Boots in a statement.

“These attempts can be successful if people use the same email and password details on multiple accounts. We would like to reassure our customers that these details were not obtained from Boots. We are aware that other organisations may be impacted too.

Boots suspended the use of loyalty cards to prevent hackers from using stolen points

"As an extra precaution, we have temporarily stopped payment by Boots Advantage Card points on boots.com or in-store. This removes the ability for people to attempt to access any Boots accounts but means that customers will not be able to use Boots Advantage Card points to pay for products in-store and online for a short period of time.

"We are writing to customers if we believe that their account has been affected, and if their Boots Advantage Card points have been used fraudulently, we will, of course, replace them.” The company added.

This incident took place shortly after Tesco suffered a credential-stuffing attack that compromised over 600,000 Tesco Clubcard accounts. This type of credential stuffing attacks takes place when hackers use a list of compromised usernames and passwords from different websites, looking for a match.

Commenting on the targeting of Boots' IT systems by hackers using stolen credentials and the company's subsequent statement, Sam Curry, chief security officer at Cybereason, tells TEISS that consumers should work under the assumption that their personal information has been compromised many times over. As an industry until we can start making cyber crime unprofitable for adversaries they will continue to hold the cards that will yield potentially massive pay-outs.

"Fool me once, shame on you. Fool me twice, shame on me. Fool me ten times, enough is enough! It's time to really up the ante: minimise the extent of possible breaches and compromises, minimise exposure when breaches like this occur. Having customer data is a privilege, not a right. The time to beef up security is long past.

"Explanations for breaches of this sort in the retail industry demand a little more than a form letter and business as usual. If crime actors find a new way to compromise data, the numbers shouldn't be in the 10s of millions, and the stories of how it's done should be getting more sophisticated. If not, it's like hanging a sign outside saying "jobs wanted" by the fraudsters and that's not acceptable in 2020," he adds.

MORE ABOUT: