We use cookies to allow us and selected partners to improve your experience and our advertising. By continuing to browse you consent to our use of cookies. You can understand more and change your cookies preferences here.


When you click on a retailer link on our site, we may earn affiliate commission to help fund our not-for-profit mission.Find out more.

28 Jan 2021

Data breaches: your passwords for sale

Our investigation finds online fraudsters advertising stolen data on consumers of big brands, including Tesco, McDonalds, Deliveroo and MGM Resorts

Millions of passwords stolen in data breaches are for sale on the dark web, an investigation by Which? has found.

We worked with security specialists Red Maple Technologies in October 2020 to investigate the kind of personal data that is advertised for sale on both the open internet, messaging channels, and the dark web - a hidden part of the web that can only be accessed using special tools.

We found that stolen accounts and data are being advertised for sale cheaply, with customers of Tesco, Deliveroo and McDonald's among those having their personal information marketed by fraudsters.

Stamp out scams - Scammers steal hundreds of millions of pounds from innocent victims every year. Join our campaign to get banks and businesses to do more to protect us

The data found was a treasure trove for fraudsters - including information that could be used to clone identities or give access to online services such as food delivery apps.

The impact on you can range from having to change your password to seeing your most intimate details being exploited by scammers.

And data breaches don't just happen at small organisations with inadequate security practices: from eBay to Equifax, even the biggest names can be hit by data breaches, with billions of consumer acccounts compromised over the past 15 years.

Our investigation highlights the dangerous knock-on effects of being involved in a data breach, or companies not prioritising security highly enough.

Tesco Clubcard

When we hunted around the dark web for stolen data for sale, we found one seller advertising 'Tesco accounts with usernames, passwords and loyalty card balances'.

The seller was offering the Clubcard data in blocks of 2,000 accounts, and based on our calculations, the individual accounts were being sold for around 42p. The seller claimed to have data on hundreds of thousands of Clubcard accounts for sale in total, although there was no way of us verifying this as we did not buy the stolen data.

Last March,Tesco confirmed that a database of usernames and passwords stolen from other websites had been used to try to access Clubcard accounts and customer vouchers. Tesco said at the time that no financial data was accessed and its systems hadn't been hacked. It claimed to have blocked affected accounts as a security measure. Yet when Red Maple researchers searched through dark web marketplaces for compromised accounts, they found examples that included data claiming to be from Tesco.

While the Clubcard accounts being advertised for sale might not work if they have been blocked, there is still value to the cybercriminals in stolen email addresses, passwords and other data. This is because they can potentially use the data to attack other services where consumers have reused the same credentials. Scammers could also use the data to mount phishing attacks on Tesco customers.

Tesco declined to comment on our findings after we approached the supermarket.

Deliveroo and McDonalds

Consumers have been turning to food delivery apps and services in increasing numbers during the COVID-19 crisis. However those who have had their details stolen and sold online could find that large food and alcohol orders are racked up on their accounts - with the people whose accounts had been stolen picking up the bill.

Researchers found Deliveroo accounts being advertised for sale on dark web markets for just £4.30 each. This happens due to a process called 'credential stuffing' (see more below), and there is even an 'account-checker' tool, enabling hackers to take a large number of usernames and passwords scraped from other breaches and check if they work on Deliveroo. Working accounts can then be offered for sale

Compounding the issue is that Deliveroo still does not offer two-factor authentication - an important additional security measure - on accounts to help customers protect themselves.

Which? also found My McDonald's accounts marketed for sale on the dark web, along with instructions on how to use them with the mobile app. The instructions advised someone to go to a McDonald's restaurant, make their order through the compromised account, and then pick it up. The stolen account can cost just a few pounds, but could result in an order of well over £30. The seller even offers a guarantee if the account login doesn't work for the scammer.

Deliveroo told us: 'Deliveroo takes online security extremely seriously and is constantly working to help protect customers against unauthorised logins by cyber criminals. We have strict and robust anti-fraud measures in place to combat fraudsters and to track patterns of criminal activity and to block fraudsters.

'We also partner with anti-fraud companies to address misuse of card information and we regularly remind customers to use new, strong, unique passwords to protect their Deliveroo accounts.'

McDonald's said: 'Unfortunately unwanted transactions do occur due to customers' details being compromised by other websites, which is why we regularly add additional layers of fraud protection and security to our app.

'These include device identification and additional fraud detection software, and we recommend customers use a unique password for their account. We also have a number of measures in place to mitigate any breaches, such as Bot Protection, and we remain confident that we have never had a breach of our systems.u201d

MGM, Houzz and data dumps

The personal data of millions of guests who stayed at MGM Resorts hotels was breached in the summer of 2019. A database of information was posted on a hacking forum in February 2020, and in October of that year we found a seller offering data from this breach.

This included 10.6 million guest records, including 'email and physical addresses, names, phone numbers and dates of birth' and was available on Dark Market, a dark-web marketplace.

The information was being advertised for sale at £18.30 per pack and could potentially be used for phishing attacks, where hackers might send emails pretending to be from MGM hotels to previous guests in order to scam them under the guise of the company.

Separately, we came across one seller that claimed to have 'about 200 leaked databases', while another seller was marketing 239 dumps of data, said to include details from many well-known organisations that have previously had data incidents, including accorhotels.com, dominos.com and marriott.com.

On another dark web marketplace, we found 7.9GB of data stolen in July 2018 from Houzz, a home design website, advertised for sale. The seller was touting the names, email addresses and passwords of 57 million Houzz users for just £778.

MGM Resorts said: 'MGM Resorts has addressed the incident reported in 2019. We continually seek to strengthen and enhance our security measures to protect guest data.'

We contacted Houzz but it had not replied by the time of publication.

Companies must do more on security

Two techniques often used by cybercriminals to access stolen data are 'brute-forcing' and 'credential stuffing'. Brute-forcing involves trying systematically generated passwords until hackers find the right one. Credential-stuffing is more preferable as a method as it involves trying known passwords, such as ones stolen from a breach.

The practice is made more successful as people often reuse their passwords across multiple accounts and services - this why security experts warn you to use unique passwords on every single website.

Both of these attacks are also made easier by poor security practices by companies, such as websites and services that allow many attempts to get the right password without locking you out, or those that let users set weak or common passwords.

Many companies also don't enable two-factor authentication (2FA) to give consumers more protection.

We will fight them on the breaches

While data breaches are hard to prevent, all companies need to take much more responsibility for what happens after they've had a breach.

The much bigger fines allowed under GDPR are a good start, but even those aren't enough of an incentive for companies to do everything they can to mitigate the risk.

In the January issue of Which? magazine, we investigated online bankingand not every provider got a clean bill of health. While no company gets it 100% right, we expect high standards from the banking industry, and we have concerns about other sectors where the stakes aren't as high as they are for retail banks.

More must be done to help consumers dealing with the aftermath. The current 'opt-in' system for seeking redress isn't working to help consumers who suffer when a company they've trusted with their details is breached.

We're calling for an opt-out system: if you're involved in a breach, Which? and other consumer champions will be able to call on the company on your behalf to make amends.

Redress could mean anything from financial compensation to direct assistance to help you deal with a breach, such as free credit monitoring or security health checks.

How to increase your online security

  • Passwords - Always set strong passwords for your accounts and don't use the same ones across different accounts. A password manager is also worth considering.Many services now alert you if your passwords have been compromised. Additionally, you can check if their email has been included in a data breach using https://haveibeenpwned.com/.
  • Two-factor authentication (2FA) - Wherever possible turn on 2FA to increase security, particularly if your account holds your financial information. Don't use SMS text message if you can access another option, such as an authenticator app or even a hardware token if possible.
  • Credit card details - Don't save your credit card details if you aren't going to use the service regularly. Although it's a faff to resubmit them, that's better than having your financial information unnecessarily stored in a database that could be compromised.
  • Guest checkout - Similarly to the above, just check out as a guest if you aren't going to use the service regularly. Only create an account if you really need to.