Boots blocks Advantage Card following cyber attack affecting 150,000 customer accounts

Boots claims it acted after identifying a credential-stuffing cyber attack

Boots has blocked Advantage loyalty card holders from using their cards to pay for goods today after detecting a cyber attack potentially compromising 150,000 accounts.

The company claims that it has been subjected to a credential-stuffing attack, which appears to have been successful in cracking the accounts of a small percentage of the 14 million Advantage Card users. The affected users will be contacted, and have been advised to improve their online security.

Users, however, can still accrue points at branches of Boots or for online purchases.

In a statement, Boots said: "Our customers' safety and security online is very important to us. We can confirm we are writing to a small number of our customers to tell them that we have seen fraudulent attempts to access boots.com accounts.

"These attempts can be successful if people use the same email and password details on multiple accounts. We would like to reassure our customers that these details were not obtained from Boots. We are aware that other organisations may be impacted too.

"As an extra precaution we have temporarily stopped payment by Boots Advantage Card points on boots.com or in store.

"This removes the ability for people to attempt to access any Boots accounts, but means that customers will not be able to use Boots Advantage Card points to pay for products in store and online for a short period of time.

"We are writing to customers if we believe that their account has been affected, and if their Boots Advantage Card points have been used fraudulently we will, of course, replace them.

"We currently believe that this will only affect a tiny percentage of cardholders and we would like to reassure customers that credit card information cannot be accessed. To help protect online accounts we strongly recommend using different passwords for each site used."

The attack comes days after a similar issue hit 600,000 Tesco Clubcard holders, in a similar credential stuffing attack. Credential stuffing describes hackers simply using existing user names and passwords culled from previous compromises in the expectation that many will people will have used the same combination across multiple accounts.

Max Heinemeyer, director of threat hunting at security firm Darktrace said that organisations need to be proactive and to implement robust security measures to detect credential stuffing attacks.

"This is a classic case of credential stuffing - a kind of attack where hackers check previous data leaks containing stolen passwords uploaded on the dark web and then reuse those to credentials to sign into another one of your online accounts," he said.

He continued: "This attack is only possible because the average person doesn't always act with security in mind and re-uses the same username and passwords across many sites.

"Good password managers and multi-factor authentication will help, but there is only so much the individual can do. The responsibility lies with the organisations providing online services to ensure they have robust systems and cutting-edge defensive technologies to fight back when hackers do gain access to users' accounts."