Tesco is issuing new cards to 600,000 Clubcard account holders after unearthing a security issue.
The supermarket giant said it believed a database of stolen usernames and passwords from other platforms had been tried out on its websites, and may have worked in some cases.
No financial data was accessed and its systems have not been hacked, it added.
It said this was a precautionary measure and apologised for the inconvenience.
“We are aware of some fraudulent activity around the redemption of a small proportion of our customers’ Clubcard vouchers,” a Tesco spokesperson said.
“Our internal systems picked this up quickly and we immediately took steps to protect our customers and restrict access to their accounts.”
The supermarket said it had emailed everybody potentially affected, that nobody would lose their points and new vouchers would also be issued.
One of those who received an email was Josh, who works in IT.
“The email was very ambiguous,” he said.
“I thought it was because I’d just used a new bank card. I didn’t realise it was actually my account details that could have been compromised.
“It worried me – I feel better now it’s been clarified.”
Others responded in good humour on social media, questioning how much their points would actually be worth to a hacker.
The UK loyalty scheme offers one point for every pound spent in store. Every 100 points are worth £1.
The BBC understands about 19 million people have a Clubcard account.
Jake Moore, cyber-security specialist at the firm Eset, told the BBC plenty of people still use simple passwords or similar log-ins for many different platforms.
“Cyber-criminals can do a lot of damage with a large breached list simply containing names and emails or other trivial data,” he said.
“The big risk is via brute force attacking the accounts where criminals use leaked common password combinations against the emails to try to break into other personal accounts.”
Mr Moore suggested using password managers to generate and store uniquely different passwords, and two factor authentication where possible – in which a text message or email code is required as well as the password.