Tesco (TSCO.L) is issuing new cards to 600,000 Clubcard account holders after discovering a security breach.
The supermarket said some customers may have fallen victim to online fraud after a database of stolen usernames and passwords from other platforms had been tried out on its website.
The use of the stolen data may have been successful in redeeming Clubcard vouchers some cases, according to the retailer.
Tesco have issued new cards to affected consumers as a “precautionary measure” after immediately blocking their accounts.
The supermarket giant said it had notified everybody potentially affected by email and reassured customers that nobody would lose their points and any stolen vouchers would be replaced.
Tesco asked the affected Clubcard users to reset their passwords and apologised for the inconvenience.
“We are aware of some fraudulent activity around the redemption of a small proportion of our customers' Clubcard vouchers,” a Tesco spokesperson said.
“Our internal systems picked this up quickly and we immediately took steps to protect our customers and restrict access to their accounts.
“At no point was any customer's financial data accessed.
“We believe that someone has stolen password/username combinations from other website(s) and used them to try to access Tesco sites — where customers used the same username and password.”
The loyalty scheme, which has around 19 million users, gives shoppers one point for every pound spent in store. Every 100 points are worth £1 and can be redeemed as vouchers that can be used in Tesco stores or with selected partners.
Jake Moore, cyber-security specialist at the firm Eset, told the BBC many people still use simple passwords or similar log-ins for many different platforms.
Read more: Tesco to axe 1,800 jobs
“Cyber-criminals can do a lot of damage with a large breached list simply containing names and emails or other trivial data,” he said.
“The big risk is via brute force attacking the accounts where criminals use leaked common password combinations against the emails to try to break into other personal accounts."