New Zealand New World club card accounts targeted in password spraying attack
Learn More
Foodstuffs, the parent company of New Zealand's largest grocery retailer New World, is reporting that a limited number of New World Clubcard customer accounts were compromised in a credential stuffing attack that enabled unauthorized access to customer loyalty accounts and stored payment methods.
The incident was a password spraying attack in which hackers use automated tools to systematically try commonly used or previously compromised passwords across many New World Clubcard accounts.
Foodstuffs claims that their internal systems were not breached or compromised during this incident. The compromised accounts exposed sensitive customer information:
- New World Dollars (loyalty rewards currency that can be used like cash for grocery purchases)
- Stored payment tokens enabling unauthorized purchases
- Personal account information and shopping history
- Ability to place grocery orders charged to stored credit cards
- Access to account settings including contact information
The number of affected accounts are not disclosed.
Foodstufs spokesman claims that no personal credit card data has been compromised: "Foodstuffs never stores full [credit] card numbers." The company explained that they store encrypted payment tokens rather than actual credit card details, which allows transactions to be processed without exposing the underlying financial information.
For customers whose accounts were successfully compromised, the company deleted the stored encrypted payment tokens to prevent further unauthorized transactions. As a precautionary measure, Foodstuffs temporarily disabled the ability to redeem New World dollars on affected accounts and required customers to reset their passwords.
The company sent notification emails to both affected customers and those whose accounts showed no signs of compromise, advising all users to update their passwords as a security best practice.
