UK's Supermarket Chain 'Iceland' Urges Bonus Card Customers to Change Passwords After Data Breach
In addition to being a northern country that is famous for its volcanoes and geysers, Iceland is also the name of a British supermarket chain. It recently suffered a security incident which can serve as proof that cybercriminals aren't very picky when they have to choose their targets.
The victims were Iceland customers who had taken advantage of the supermarket's Bonus Card system – a benefit scheme that lets you put money you've saved in a card and then use it to buy things from the store. People can manage their Bonus Cards online which means that they have accounts on Iceland's website.
In early November, the supermarket's IT team noticed that some of these accounts were accessed from unusual locations. After investigating further, they confirmed that the activity was out of the ordinary, and to stop it, they suspended the affected accounts and set about informing the victims.
Information on what the crooks did is somewhat scarce
It is important to note that Iceland decided to contact data breach victims via snail mail. If you're an Iceland customer and you receive an email regarding the security incident, you can be pretty sure that it's fake.
Some of the affected people posted pictures of the real notifications, and having gone through them, we can safely say that compared to Amazon, the supermarket chain has done a better job of explaining what has happened. Even so, some details are missing.
The letter doesn't say, for example, how many people the breach affected, though Iceland did later tell Moneysavingexpert.com that the number of victims is somewhere in the "low thousands". It's also not clear what the crooks did when they accessed people's Bonus Card accounts. What is certain is that victims' cards have been suspended, and new ones are being mailed out.
Iceland: It was credential stuffing
It's easy to assume that an organization that specializes in selling food might not have the most secure online shop. And if you poke around, you will see one or two things that don't really inspire much confidence.
For example, if you go to the same Bonus Card login form that was abused and click "Need help logging in?", you will be redirected to a page which gives you information on what you need to provide to access your account. Among other things, it says "If you have forgotten your password, don't worry click here and we can email it to you." We can't confirm exactly how the password reset function works, but if the password is indeed emailed back to the user, then Iceland isn't storing it correctly.
To email it in plain text, Iceland must be able to see it in plain text. And as we've said in the past, if a service provider can see your password, then they're not storing it correctly.
Even so, Iceland representatives say that their systems weren't compromised in any way. According to the breach notification, the passwords that were used to break into Iceland accounts were stolen from another organization, and people's password reuse habit was the only thing that made the attack successful. In other words, they say that they've been targeted by a credential stuffing attack.
All that's been reported so far doesn't sound too improbable. For one, credential stuffing seems to be becoming more and more common nowadays, partly because it's quite effective, but mostly because it's easy to pull off. Furthermore, while it may seem illogical at first, when you think about it, attacking services like Iceland's Bonus Card program does make a fair bit of sense.
If a person has used the same password for two accounts, it's highly likely that they've used it on a third one as well. By breaking in low-value accounts like the Iceland Bonus Card ones, the crooks can confirm which users reuse their passwords and which don't. They can then sanitize their list of credentials a bit which will make attacks on more valuable targets even quicker.
With the risk of sounding like a broken record, we would once again like to emphasize how important it is to properly manage your passwords. As you can see, hackers tend to be fairly indiscriminate when they decide to break something, and they sometimes compromise services that, at first glance, don't seem to be too valuable. Thanks to the millions of people who reuse their passwords, however, even the least obvious target can prove to be a gold mine.