Supermarket giant Tesco has suspended more than 2000 online customer accounts after cyber thieves used login details posted on the internet to steal Clubcard vouchers.
A list of thousands of usernames and passwords was posted by hackers on a text-sharing website on Thursday.
It is thought the data was taken from other websites in high-profile security breaches and used to access Tesco.com customer accounts to steal Clubcard points, with 2239 hits where the same usernames and passwords were used.
Loading article content
But only a "handful" of people are understood to have actually suffered theft of their Clubcard vouchers, as secondary security information was needed to fully access the accounts.
Tesco has now deactivated the affected accounts as a precaution and is contacting all customers impacted, pledging to reimburse those who have lost out.
The group said it was "urgently investigating" the security breach.
It said: "We have contacted all customers who may have been affected and are committed to ensuring none of them miss out as a result of this. We will issue replacement vouchers to the very small number affected."
Tesco is said to have accidentally revealed hundreds of customer email addresses earlier this week when apologising for a pricing error.