Tesco has closed down more than 2,000 Clubcard accounts, after their customer names and passwords were hacked and posted online.
The company says it has deactivated a number of accounts, and has contacted all affected customers. With some complaining that their accounts have been cleaned out, Tesco says it will issue replacement vouchers to the "very small number" affected.
Tesco came in for heavy criticism back in 2012 when security experts revealed flaws in the way it handled customer data. It has since made improvements - most recently just last October, when it started requiring customers to enter their Clubcard number as an additional form of identification.
And in this case the company appears to be blameless. The hackers are believed to have stolen the user name/password combinations from other sites entirely. Exploiting the fact that many of us re-use the same passwords on multiple sites, they will have tested these combinations on the Clubcard login.
"Remember, folks: having the same password for different websites is a recipe for disaster. If one site gets hacked, and your login credentials are stolen, then that information can be exploited elsewhere on the web," warns security expert Graham Clueley.
Anyone that has been hacked should immediately change their password on any other sites they use, using a different one in every case. Software such as KeePass keeps all your passwords securely encrypted in one place, meaning you only need remember one password to access the full list.
Such bulk hacking of passwords is becoming increasingly common - and incidents are getting larger in scale. Last month, for example, social networking site Snapchat was hacked and 4.6 million passwords stolen. At much the same time, an undisclosed number of passwords for Yahoo's email service were also accessed by hackers.
Indeed, it's entirely possible that the password combinations used to carry out the Tesco hack were harvested during one of these incidents.