Tesco has deactivated customers' internet accounts after their login names and passwords were shared online.
The list of more than 2,000 Tesco.com accounts was posted to a popular text-sharing site earlier on Thursday.
The supermarket giant said the data had been compiled by hackers using details stolen from other sites.
A small number of people contacted by the BBC via the email addresses given on the list confirmed their accounts had now been deactivated.
Weak passwordsAll those contacted said their login details were correct and one added the attackers had used them to steal store vouchers.
Tesco said it was "urgently investigating" the appearance of the data.
It is thought the list was drawn up by attackers who combed through data stolen in other high-profile security breaches.
Password and email combinations seen in those large breaches were then tried on the Tesco site and resulted in 2,239 hits where the same credentials were used.
"We have contacted all customers who may have been affected and are committed to ensuring that none of them miss out as a result of this," Tesco said in a statement.
"We will issue replacement vouchers to the very small number who are affected."
The attack is not the first time that Tesco has fallen victim to cyber-thieves. In early 2013 hundreds of owners of Tesco Clubcards reported their loyalty card account had been penetrated.
Helpful Webroot Links: