A security researcher believes the 2,239 Tesco account details leaked online by hackers are only the tip of the iceberg.
The account details – including username, password and loyalty card balances – were accessed by hackers and posted to the popular text-sharing site Pastebin. Tesco admitted a breach took place.
Tesco has suspended the affected accounts and is "urgently investigating" the breach.
Troy Hunt, who previously revealed Tesco was sending passwords in plain text via email, says: "I would not for a moment assume that the extent of the damage is only a couple of thousand accounts, that's almost certainly only the tip of the iceberg."
Tesco came under fire from the Information Commissioner's Office in 2012 over concerns about its website security following a revelation by Hunt that he had received a password reminder email from the retail giant which contained his password in plaintext.
A Tesco spokesperson said on Friday: "We have contacted all customers who may have been affected and are committed to ensuring that none of them miss out as a result of this. We will issue replacement vouchers to the very small number who are affected."
It is still unclear how exactly the attackers were able to gain access to the Tesco customer information, but some have suggested that the attackers simply used credentials stolen in other high profile breaches – such as the Adobe breach last year which saw 38 million user details leaked – and used these same credentials to access Tesco's system.
This method would rely on people repeatedly using the same username/password combination across a range of online services, which is a well-known phenomenon despite multiple warnings by security professionals.
Speaking about today's breach, Hunt said: "As prophesised, it has happened – Tesco has had a serious security incident." On his blog Hunt looks at various other attack vectors the hackers could have used to access the details, pointing out that "many of the serious security problems that Tesco had in mid-2012 remain both in terms of discrete risks I called out (such as password strength), and as a cultural approach to security in general.
"There are still numerous easily observable risks discoverable simply by browsing the website, who knows what might lie beneath that and is readily discoverable with a little probing."
The Have I Been Pwned? website has added the leaked Tesco customer information to its database so you can check if you account has been hacked by simply typing in your email address.