Ask The Cyber Security Expert: Was Tesco hacked?

09:06 16 February in attack, Cyber security, hack
2

The Cyber Security Expert is often asked if Tesco was hacked. Well, ok, not usually often, but certainly a lot in the last few days.

Was Tesco hacked?

From this BBC headline you’d certainly think so: http://www.bbc.co.uk/news/technology-26171130

Firstly, you now know my thoughts on using the word ‘attack’ to describe hacking. Secondly, no, it doesn’t appear that Tesco itself was hacked (the first thing to notice is the low number of account details leaked online – I have no idea how many users Tesco.com has but I’d be willing to bet it at least two orders of magnitude higher, and had the service been hacked you’d expect a lot more user accounts to be compromised).

So what happened?

A list of some 2200 usernames and passwords for Tesco online customers was posted to the site Pastebin (Pastebin is a website used for sharing segments of text. It has become increasingly popular as a forum for hackers to share information they have stolen. The site itself is safe though, so you can visit and have a look for yourself). Immediately this was reported by some news organisations as Tesco itself being hacked. However closer analysis of the leaked text suggest in fact these were credentials that had been acquired by hacking other sites, and tested against Tesco until some were found that worked.

Say that again!

There have been a number of high profile compromises of web services with large volumes of users. Adobe for instance lost millions of user details. There have been plenty of others, all losing huge numbers of user details; dating sites, game companies (including Sony) and many more.

Each this happens the usernames and passwords of (potentially) millions of users are exposed. This causes a wider issue though – most people reuse username and password combinations. The Tesco accounts seem to have been compromised in this manner – those 2000+ people used the same username and password on other websites, one of which was compromised.

Once you have a username and password it is relatively each to automate the testing of them against other websites – so the hackers did not have to manually try millions of username/password combinations at Tesco.com. Rather they just wrote a program that tried all the combinations they had, and recorded which ones appeared to be valid.

What can I do?

There is not much you can do personally to prevent hacking of some web service you use. However, you can mitigate the impact of any compromise on you personally by never using the same password twice. This is really important.

I appreciate this is a pain. We all have too many passwords. There are some options; you can use a password manager like 1Password or Keepass (there are others – the latest version of Mac OS and iOS will manage passwords for you). You can write your passwords down if you need to – its better than using the same password twice, just don’t leave the written list lying around. Store it somewhere safe. If you lose it, you need to reset the passwords. Or you can come up with some scheme you use to ensure passwords are unique – embed the organisation name in the middle of the password for instance (e.g. LagerBeerTESCOBoozePub). The passwords won’t be as good as if you generated them with a password manager, but at the very least they will be unique per web service, which would prevent this kind of automated attack.

What do you do?

Its taken a while for me to make the move, but I have finally resorted to using a password manager. 1Password specifically. There are a few key sites I still create and memorise the password for myself, but otherwise this seems like a usable solution. I did try the built the in Mac service but it didn’t work for me – firstly it didn’t seem to cope well with having multiple Google identities, and secondly I was uncomfortable about locking myself into something so vendor specific. I’d recommend trying a couple and using what works best for you.

As always, if you have questions please get in touch! Find us on twitter, or use the contact form.

The Cyber Security Expert