Tesco has deactivated more than 2,000 accounts after log-in credentials were hacked and shared online by cyber criminals.
It is understood log-in details were obtained by hackers using stolen data from other sites, who then used the same email and password combination on Tesco.com, resulting in 2,239 password matches.
The supermarket said it is investigating the incident and will issue replacement vouchers for customers affected by the latest security breach targeting Clubcard points. The supermarket said 10 transactions were being treated as "suspicious".
A Tesco spokesperson said: "We take the security of our customers' data extremely seriously and are urgently investigating these claims.
"We have contacted all customers who may have been affected and are committed to ensuring that none of them miss out as a result of this."
Earlier this month, Tesco accidentally revealed hundreds of customer email addresses after it sent out a pricing clarification message including details for all recipients in the 'to' field, which could be seen by anyone who received the email.
A spokesperson said: "The security of our customer's data is of the utmost importance to us, and we apologise sincerely to any of our customers who were affected. We are conducting a thorough review of our processes to ensure this never happens again."