TESCO temporarily removed Hotels.com from its Clubcard offers after scammers guessed the discount codes and sold them on the black market.
The supermarket pulled the voucher offer, which allowed customers to bag between £200 and £750 off hotel rooms with Hotels.com, after it was alerted to the fraud back in March this year.
The issue has now been resolved and the offer reinstated, but it means that millions of Tesco shoppers were potentially denied the reward for being loyal customers.
Cyber security group CyberNews spotted the hack four months ago, after discovering that the one-off promotional codes were being sold for hundreds of pounds on two hacker forums.
The cybercriminals were able to decipher the 13-digit codes generated by Hotels.com that customers use to claim the discount when booking online.
Fraudsters could then use the discount codes to bag money off upcoming trips.
Only a limited number of the codes were issued by Hotels.com and could only be used once, so codes that had been guessed and sold on before being issued meant that loyal Tesco shoppers were left out of pocket.
Tesco’s loyalty scheme has 19million members.
It’s not clear how many of the codes were sold on but up to four million potential codes were up for grabs, according to CyberNews.
Once it was alerted to the breach, Tesco temporarily withdrew the deal and either reimbursed or replaced vouchers for customers who were affected.
Shoppers who believe that their codes may have been affected are being urged to contact the Clubcard support team, where cases are being reviewed individually.
Expedia – the firm behind Hotels.com – have also taken measures to prevent this from happening again once it became aware of the scam.
CyberNews blamed unsecure codes generated by Hotels.com and said that it should be a warning to other firms that accept discount codes.
The research group said: “In the current economic climate people are looking for ways to save money, so businesses need to stay vigilant to prevent fraud.
“We’d recommend using longer, less predictable discount codes with more characters which make it harder for cybercriminals to predict, as well as implementing a limit on attempts for an incorrect entry to prevent brute force attacks of this nature.”
Tesco confirmed to The Sun that the breach had taken place and that it pulled the Clubcard offer while it sorted the problem.
A Hotels.com spokesperson said: “This issue was identified and resolved promptly several months ago.
“Working closely with our partners at Tesco we ensured that only legitimate Clubcard customers were able to obtain and redeem the codes they had earned.
“No customers of Hotels.com or Tesco missed out on the offer, lost money or Clubcard points as a result.”
In an unrelated incident, Tesco blocked 620,000 Clubcard accounts after scammers tried to steal points.
And earlier this year it urged Clubcard holders to claim lost points, as £17million were left unclaimed.