Around 20,000 Superdrug online customers may have had their personal details – including names and telephone numbers – stolen, the multiple has warned.

The company said it was contacted on the evening of 20 August by a hacker who claimed to have obtained ‘a number of our customers’ online shopping information’, and was ‘seeking a ransom’.

According to Superdrug, the hacker said they had information on approximately 20,000 customers, with the ‘possible disclosure’ including names, addresses, dates of birth and telephone numbers. The information did not include payment information, the company stressed.

However, the multiple said this had not been confirmed as it had only seen evidence of 386 accounts being hacked. These 386 accounts were shared by the hacker as proof of the attack, but were all accounts that had been attained in previous hacks unrelated to Superdrug, it said.

‘No evidence’ of breach

The multiple also said there was ‘no evidence’ of a breach in the Superdrug systems. The multiple believes the hacker obtained the details from other websites and then used those to access accounts on, it said.

A Superdrug spokesperson said: ‘We have worked with our independent IT security advisors who have confirmed that there have been no signs of a hack of our systems – for example, there has been no mass data download or extraction from our systems.’

Superdrug has communicated with its online customers to explain what has happened and advise that they change their passwords online. The multiple has also contacted the Police and Action Fraud, the UK’s national fraud and cyber-crime arm and would be ‘offering them all the information they need’ to investigate, it said.


Difficulty logging in to site


Due to the volume of people trying to change their passwords, some customers had difficulty logging into the site.

Superdrug said they were aware of the issue and apologised for the inconvenience. They tweeted: ‘We appreciate this is very frustrating and we are doing everything we can on this’.