The UK health and beauty retailer, Boots, has suspended all payments using their loyalty card points both online and in store after unauthorised attempts had been made to enter customers’ accounts using stolen passwords.

Boots have said that customers won’t be able to use the points on their Boots Advantage Card while they deal with issue. They’ve also stated that the passwords used were ones reused from other sites, saying that none of their systems had been compromised and that attackers were using passwords acquired from other sites breaches.

People walking in front of the Boots pharmacy in London

The way that the attackers were attempting to access Boots customers’ accounts highlights a global ongoing security issue surrounding passwords. It’s imperative to use a unique password for every account as like in this instance, if one site has a breach and your password is leaked, an attacker could then access any account where the same password is used.  

The BBC was told by a spokeswoman for Boots, that of the company’s 14.4 million active Advantage Cards, less than 1% were affected, that’s just under 150,000 people. However, they couldn’t give an exact figure as they were still dealing with the issue.

The type of cyber-attack used by the attackers in this case is called Credential Stuffing. This attack typically involves an attacker using a list of stolen account credentials (usually usernames and passwords) to attempt to login to different websites, praying on people who use the same email and password combination for multiple accounts.

It’s best practice to ensure that you have two factor authentication enabled on all accounts that have the option, as well as having a strong unique password for every account.