An app vulnerability leaves Woolworths customers furious with reports that the company’s Rewards cards were hacked.
Upon collecting 2000 points in Woolworths’ loyalty program, shoppers can receive $10 Everyday Rewards Dollars.
Several customers have taken to the OzBargain forum to report points had been stolen, and many were also concerned that their personal information had been compromised.
A vulnerability exists in an app functionality that allows anyone to enter a random card number and find a card’s point balance. After entering the number in a rewards card app, the barcode can be produced, which can then be scanned at Woolies checkouts to claim a discount.
OzBargain user jjj123 said, “Applied [for] the card last month with 5000 points bonus, I received the card today, login, and found the points were used in [another] state two weeks ago. Someone shopped the points in The Ponds and Kingsgrove in NSW. Anyone same situation with me? Who can access the card number before me? The envelope received today sealed in a unopened condition.”
Ricoguy added: “My card had $20 redeemed at Kingsgrove as well. I know you need a password to redeem Flybuys money at Coles but apparently you just need to scan the card to redeem your money at Woolworths which is quite a big loophole.”
In response to customer feedback, Woolworths said it was monitoring the issue. “Although our investigation shows there is no issue with the functionality and security of the app, we are reviewing how the app experience can be better improved to provide further assurances for customers,” he said.
Protect your account from exploitation:
To ensure the security of your Everyday Rewards account, Woolworths has shared these tips:
- Ensure that the passwords for all your online accounts are unique, including your Everyday Rewards password.
- Make your passwords stronger by including numbers and special characters like ILOVE2ReadB00ks! and 2beornot2B?
- Don’t trust calls, SMS, or emails that don’t seem genuine. Pay attention to who is contacting you. Your login information will never be requested by phone or SMS from Everyday Rewards.
- Log out of your accounts and lock devices as soon as you’re finished.
