PC Plus rewards collectors told to toughen passwords
TORONTO — Loblaw is warning PC Plus rewards collectors to beef up their passwords after points were stolen from some members’ accounts.
“We are treating this as a breach as individual member accounts were accessed and points were stolen,” said Kevin Groh, the company’s vice-president of corporate affairs and communications, in a statement.
The breach stems from people using favourite or weak username and password combinations across multiple sites, he said. These combinations were stolen from other sites and used to access PC Plus accounts, according to Groh.
In an email to PC Plus members sent last month, Loblaw pointed to sites such as Yahoo and LinkedIn, which were both hacked in recent years.
Last year, LinkedIn said a 2012 security breach compromised more than 100 million user passwords. It was previously believed only 6.5 million passwords were implicated. Also last year, Yahoo said the personal information of more than one billion of its users was stolen during a 2013 breach.
Loblaw said the company is unable to disclose how many accounts lost points as the company is continuing to work with any members whose points were taken to reinstate them.
The company emailed all PC Plus members, urging them to update their passwords. It asked members to create unique passwords that are a combination of letters, numbers and characters, and to change them frequently.
Loblaw also notified law enforcement, Groh said. He added Loblaw’s IT security team is monitoring unusual activity and is investigating any possibility of underlying vulnerabilities.