Tesco told the BBC that it hadn't itself been breached, but that the data had been compiled by hackers using information stolen from other sites -- the hackers tried to log into Tesco accounts using user name and password combinations leaked in other breaches, then published a list of 2,239 successful combinations.
Some customers' store vouchers have been stolen using the leaked data.
"We have contacted all customers who may have been affected and are committed to ensuring that none of them miss out as a result of this," the company said in a statement. "We will issue replacement vouchers to the very small number who are affected."https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
In a blog post, security expert Troy Hunt noted that only about 15 percent of the published login credentials matched data already stored at his data breach site, Have I Been Pwned? -- which would seem to indicate that the data may not have been taken from another major breach after all.
"Of course HIBP is not exhaustive and there [are] numerous breaches both known and unknown that could have been the original source of this incident, but what I can say for sure is that the data didn’t come from any of the biggies I’ve loaded in -- otherwise that 15 percent would be a hell of a lot closer to 100 percent," Hunt wrote.