Bad passwords at fault for Tesco data breach

Following the news that Tesco had its users’ account detail posted online, the need to be vigilant with passwords is more apparent than ever.

Tesco has claimed that the data was compiled from details that hackers stole from other websites of potentially unrelated organisations. By utilising these password and email combinations, 2,239 Tesco.com accounts were compromised.

"It’s important to note that the current information does NOT suggest that Tesco itself was breached, nor are we seeing any information that indicates that they have in any way exposed their customers to risk," Trey Ford, global security strategist for Rapid7 told CBR.

"This is about consumer behavior – people continue to reuse passwords and other credentials across multiple sites, making it easy for attackers to compromise them. It’s essential to learn the lesson from this incident before the cost becomes greater," he said.

Security experts have stressed that customers need to take responsibility to ensure that they are not setting themselves up for a fall by using the same password for multiple online accounts.

"Our natural instinct is to simplify and use the same password and username combination for everything. But this is very risky as attacks like these demonstrate," Charles Sweeney, CEO of security solutions company Bloxx, told CBR.

"Whilst it might be convenient for you, it also makes it easier for hackers to steal your details from the multiple sites that you’ve signed up to."

Ford added: "We all know it’s a pain to deal with multiple complex passwords across all the various sites and services we use, but there are solutions to help with that, encrypted password vaults like LastPass, 1Password, KeePassX and others.

As well as not using the same password for multiple accounts, Sweeny also advises not to use passwords or pins that are easy to second guess, like your address or date of birth, as this information can be easily obtained by anyone.

Ford advised that for those who want to add further protection to their accounts, they can take the imitative set up a password vault.

"From a trusted computer, trade out your old shared passwords for new unique ones. Change your email password first, it is the one key to rule them all – password resets go to your email," he said.