Boots has blocked all Advantage card holders from 'paying with points' after 150,000 accounts were subjected to attempted hacks using stolen passwords.
The news comes just days after Tesco said it would issue replacement Clubcards to more than 620,000 customers after a similar security breach.
Here, Which? explains what you should do if you've been impacted by either data breach and compares this incident with previous data breaches.
According to the health and beauty retailer, hackers attempted to access around 150,000 customer accounts using passwords from other sites.
Boots said it's writing to customers whose accounts are believed to have been affected, and that no credit card details were accessed by the cyber attackers.
While you won't be able to pay for items using your points, you can still continue to collect points when you shop.
Tesco believes a database of usernames and passwords stolen from other websites has been used to try and access Clubcard accounts and customer vouchers.
Announced earlier this week, Tesco said that no financial data was accessed, and its systems haven't been hacked. Customers that are thought to have been impacted have received an email letting them know.
Access to affected accounts has been blocked as a security measure. Tesco says it is actively working towards restoring access for customers.
Tesco has advised that impacted customers will be asked to reset their password the next time they log in. The supermarket is also planning to issue new Clubcard numbers to those customers.
If you've used the same password that you had for your Tesco account elsewhere, then you should change it on those sites too.
If you are resetting your password:
There are various random password generators online that you could use to create something really secure.
Some Twitter users have reported difficulties accessing their Tesco accounts after resetting their password, as they needed their Clubcard number in order to do so.
As Tesco will be reissuing Clubcards with new numbers, old card numbers are no longer valid.
If your account is part of either data breach, Tesco or Boots should let you know.
Several high-profile data breaches have hit consumers over the past few years. Here we take a look at some of the most notable cases.
. The airline said that its systems had been compromised for more than two weeks, with 'the personal and financial details of customers making bookings on our website and app' potentially stolen by hackers between 21 August and 5 September 2018.
The hack prompted a criminal inquiry led by specialist cyber officers from the National Crime Agency (NCA). In 2019, the Information Commissioner's Office (ICO) announced its intention to hand a record fine of £183m to the airline - the biggest penalty it had handed out under the new General Data Protection Regulation (GDPR).
One of the in 2018, with a total of 500 million records accessed. It admitted that information including passport numbers was compromised for approximately 339 million people who had made reservations at Starwood properties.
Marriott's investigation determined that there was unauthorised access to the database, which contained guest information relating to reservations on or before 10 September 2018, and leading security experts found that this had gone unnoticed for four years.
The ICO announced plans to fine Marriott £99m for the breach, and said the hotel chain had failed to do sufficient due diligence on its IT systems.
The company said that approximately 105,000 non-EU-issued payment cards without chip-and-pin protection had been compromised, but that 5.8m of the credit and debit cards with chip-and-pin protection and pin codes had not been leaked. The cyber-attack went unnoticed for around nine months.
In January this year, the ICO announced a £500,000 fine for the retailer.
An ICO statement said that 'a series of avoidable data security flaws' allowed the personal details of around 2.7 million UK customers to be accessed and downloaded by attackers from a cloud-based storage system operated by Uber's US parent company.
Instead of contacting affected customers and drivers at the time, an ICO report said Uber paid the attackers responsible $100,000 (£78,294) to destroy the data they had downloaded.