Super-mugs: Hackers claim to have snatched 20k customer records from Brit biz Superdrug

Or just 386, according to chain

By Paul Kunert


Hackers claim to have grabbed the personal details of almost 20,000 bods who shopped online at Superdrug, the British cosmetics retailer has confirmed. Payment card details are not said to be among the haul.

The biz has emailed customers, El Reg can confirm, advising them of the “possible disclosure of your personal data, but not including your payment card information.”

“On the evening of the 20th of August, we were contacted by hackers who claimed they had obtained a number of our customers’ online shopping information,” the note from boss Peter Macnab stated.

“There is no evidence that Superdrug’s systems have been compromised. We believe the hacker obtained customers’ email addresses and passwords from other websites and then used those credentials to access accounts on our website."

The cyber villains alleged they had “obtained information on approximately 20,000 customers but we have only seen 386,” the chain added, leading us to believe this is a classic credential-stuffing stunt by the crooks. That's when scumbags take passwords and usernames leaked from one website and use them to log into accounts on other sites, exploiting the fact people reuse their passphrases across various online services and profiles.

Customers’ names, postal addresses and “in some instances” date of birth, phone number and points balances “may have been accessed”, the email stated. The retailer advised customers to update their password “now and on an on-going, frequent basis.”

Superdrug has contacted the cops and Action Fraud about the incident, and “will be offering them all the information they need for their investigation.” It is believed the miscreants contacted the retailer in hope of extorting money from the business in exchange for their silence.

A spokesperson for Superdrug was not available for immediate comment. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

UK mobile operator Three launches Superdrug Mobile MVNO

More opportunities to get to punters in crowded market

Overheard at a Brit mobe network: On the count of Three UK, smile and say, er... we lost how many customers?

Never mind, we've got a fistful of spectrum and 5G's a-coming...

The Chinese are here: Xiaomi to bring phones to the UK next month

Next stop, formaldehyde-free mattresses?

3 moves into Superdrug

Nappies, aspirin and a video phone, please

Feel old? You will now: Blighty's mobile network Three is a teenager

A brief history of Li Ka-shing's feisty challenger network

Loyalty card? Really? Why data-slurping store cards need a reboot

An IoT marriage is the future

3 gives up (Super)drugs

Cuts down to 20 stores

3 shifts phones through Xtra-vision video stores


Orange hears his master's voice

Handsets find shelf space in HMV

Getronics buys PinkRoccade

Going Dutch


Guide to Antivirus (AV) Replacement

This guide provides in-depth information from leading security experts that will guide you through each phase of your decision-making process.

Evolving Datacenters without Complexity

In this session, we’ll talk about how IT leaders are advancing the capabilities of their datacenters to rise to today’s challenges. Our guest speaker, Chris Bradford, Product Manager at DataStax will bring first-hand expertise to a discussion with The Register host Elena Perez.

SANS Institute: Cloud Security Survey Results

Over 47 percent of surveyed organizations store sensitive business intelligence and IP in the cloud ... yet in 2018, a quarter of respondents realized security events due to poor configuration and insecure APIs.

Secure WAN Transformation Enables the Modern Digital Enterprise

Mega shifts like SD-WAN and the cloud are disrupting 30 years of legacy network and security technology.