The supermarket giant Tesco recently suffered a major security breach and a large numbers of it’s tesco.com customer accounts were exposed and posted on the popular text sharing site pastebin. The data included Tesco’s customer usernames, passwords and loyalty card balances.
The data was verified (often such publicly displayed data breaches are comprised of out-of-date or historic data and is of limited value) and proven by users and other hacktivists to be genuine. Tesco have a history of somewhat underwhelming their users and other security observers with regard to the security of their web services. Indeed they were held to account by the ICO late in 2012, a fact widely reported in the press and elsewhere such as the BBC News.
This latest breach seems to have been as a result of a brute force break in. Troy Hunt has a great post describing the Tesco Hack and how he thinks it was done. We’re all fairly sure that Tesco did store passwords in the clear in a previous incarnation of the site. However since the ICO incident while they have clearly have improved the site it seems still to have several fundamental weaknesses.
Of course the users of the site themselves have some responsibility, using trivial passwords and reuse of passwords from other sites/logins is just plain stupid. For the consumer the proliferation of passwords is a huge problem but there’s a certain naivete in security experts expecting the average consumer to create a different password for every site they go to. There are of course tools to help in that regard 1password and lastpass to name but two. The trouble is there’s no real answer to the password issue until we get some sort of federated system that everyone can get behind.
The move towards OTP authenticators as used by Amazon, Google and several others is, unless we co-ordinate in some way, just going to add to the problem and make it worse for consumers before it gets any better.