Marks and Spencer customers are being warned to take urgent action to secure their online accounts as the retailer recovers from a major cyber attack that forced it to suspend online orders and disrupted services across the UK. Experts say the incident highlights the growing threat of “credential stuffing” attacks and the importance of robust password management.
M&S halted all online purchases in April after a significant cyber breach, which affected click-and-collect and contactless payments. The retailer has now resumed online orders for clothing and footwear in England, Scotland, and Wales, with other services and regions set to follow in the coming weeks. The company confirmed that some personal data, including names, addresses, and order histories, was compromised, though no payment card details or passwords were accessed.
Despite this, customers have been urged to review the passwords they use across online accounts. Cybersecurity expert Sarah Knowles, co-founder of Shift Key Cyber, explained that attackers often exploit reused passwords across multiple sites – a technique known as credential stuffing.
She said: “Once they have gained access to one site, they can then successfully replicate the method on other sites. The primary motivation is financial, but it can also lead to identity theft.
“All M&S customers, in fact any customers of an online retailer that has been a victim of an attack, change your password immediately. The hackers will look for people who haven’t changed their passwords and could use this to steal your data. This needs to be the first step you take before making any online purchases.”
Ms Knowles recommended customers review all their online shopping login details to ensure none are reused across different retailers, including M&S. She said, “If you can’t remember where you do or don’t have an account, checking your email can be a good place to start – by reviewing the retailer mailing lists you are on. Make sure you check your spam and junk folders, too.”
She also stressed the value of using password managers, which are built into most modern devices, to securely store unique passwords for every account.
She urged people to use “multifactor authentication” when setting up new passwords, as using a secondary login method will add another layer of security.
For password creation, Ms Knowles said: “The longer the password, the better.”
M&S has warned that some service disruptions will continue until July as it restores full operations.
