Superdrug has told customers it had been contacted by a hacking group on Monday evening claiming to have obtained the details of 20,000 customers, including names, addresses, dates of birth and phone numbers. Superdrug said in the email to customers the company had only seen evidence so far that 386 of the accounts had been compromised.
A spokeswoman said: “The hacker shared a number of details with us to try to prove he had customer information – we were then able to verify they were Superdrug customers from their email and log-in.”
To customers who have received an email from us today, this email is genuine. We recommend you follow the steps we outlined.
— Superdrug (@superdrug) 21 August 2018
Superdrug said the information stolen did not include payment card information. They have advised users to change their Superdrug password.
“We believe the hacker obtained customers’ email addresses and passwords from other websites and then used those credentials to access accounts on our website,” it said. We take our responsibility to protect your personal information very seriously and that is why we have let our customers know as soon as we could. We have contacted the police and Action Fraud [the UK’s national fraud and cyber-crime arm] and will be offering them all the information they need for their investigation.”