UK supermarket giant Tesco was in the news recently for the wrong reasons after details of 2,240 customer accounts appeared on Pastebin. Tesco moved quickly to suspend the accounts in question, but an unlucky few did have store vouchers stolen; not to mention email addresses and passwords on display for the world to see.
This is not the first time that Tesco has received bad press over security; in 2013 Tesco ClubCard holders were reported to be victim of a security breach. However, what makes this incident interesting is that no security attack actually occurred. It is thought that this compromise was based on previous data breaches, with no new hack of Tesco data, thus highlighting the fact that personal data leaked on the internet can have lasting repercussions. It exposed accounts on separate sites as well as providing threat actors with a wealth of social engineering material to mount spear-phishing, scamming emails and identity theft attacks. Hackers were able to use usernames and passwords collected on unconnected sites in order to compromise Tesco customer accounts. This demonstrates the danger of using the same password across multiple accounts. However, the average user will have the same logins for supermarkets, online banking, train tickets, online shopping, email, social media… Need I go on? We have busy lives and as everything moves online the number of accounts and passwords to keep track of is proliferating for the average user. There are best practices that users can follow to keep themselves protected. This is not new advice, I am afraid, but still insecure password practices are rife! So listen up.