M&S shoppers placed on red alert: Don't change your password, but ‘stay vigilant’ for email scams

M&S confirmed that customer data that might've been accessed includes names, email addresses, postal addresses, and dates of birth. While none of this would allow criminals to access your account, it could be enough to craft some convincing phishing scams.

Phishing is a (worryingly common) type of cyberattack where criminals try to trick people into giving away sensitive information, like passwords and credit card numbers, by pretending to be a trustworthy source. Criminals could use some of the information stolen in the data breach — like postal address and names — to send a scam email with enough information to appear genuine.

Discussing the threat, Head of Threat Intelligence at cyber security firm NCC Group, Matt Hull said: "Despite the absence of financial data or passwords, threat actors could potentially use the stolen information to launch targeted social engineering attacks.

"Stay vigilant for phishing messages pretending to be from M&S or other companies you’ve dealt with. These attackers might use the leaked M&S information to craft very convincing scams. Cyber criminals are also likely to sell this data on the dark web as well, putting customers at even more risk.

“If you’re unsure about an email’s authenticity, don’t click any links. Instead, visit the company’s website directly to verify any claims. This extra step can protect you from falling victim to phishing attacks."

Marks and Spencer has not revealed how many shoppers had been affected by the data breach, but it has emailed all website customers to alert them about the data breach. It had 9.4 million active online customers in the year to March 30, according to its last full-year results.

Chief executive Stuart Machin told shoppers there is “no need for customers to take any action”.

An update from our CEO pic.twitter.com/zZ9y4jJk8y

— M&S (@marksandspencer) May 2, 2025

In a social media post, Mr Machin said: “We have written to customers today to let them know that unfortunately, some personal customer information has been taken.

“Importantly there is no evidence that the information has been shared and it does not include useable card or payment details, or account passwords, so there is no need for customers to take any action.

“To give customers extra peace of mind, they will be prompted to reset their password the next time they visit or log on to their M&S account and we have shared information on how to stay safe online.”

The group has not been able to take any orders through its website or app since April 25 as it tries to resolve the problem, although all stores remain open.

M&S first reported the issue over the Easter weekend, with the incident initially causing problems for the retailer’s contactless payments and click and collect orders, while it has also impacted some availability in stores after it took some of its systems offline in response.

A hacking group operating under the name Scattered Spider has been linked to the ransomware attack, according to reports.

Earlier this month, the Information Commissioner’s Office said it was investigating the attack, as well as a similar major incident involving the Co-op. The Co-op has also apologised to customers after hackers accessed and extracted members’ personal data, such as names and contact details, while it too has suffered availability problems as a result of the attack.

Luxury department store Harrods also confirmed earlier this month it had been affected by an attempted hack and had temporarily restricted internet access across its sites as a precautionary measure.

Closed Door Security Chief Executive William Wright said the “best advice” for M&S customers in the wake of the incident was to be “highly cautious” of all email correspondence in relation to the attack, as this was likely how criminals would likely target people.

“Don’t send personal information over email, treat phone calls relating to the breach with caution, and if an email does come in requesting information, don’t hit reply, instead, contact M&S via the email address on its genuine website to verify its validity,” he added.

M&S has struggled to grapple with the fallout of the hack and retail experts have said it is likely to lead to a significant profit hit. The group’s annual results on May 21 will be watched closely for any update on the financial impact. While M&S shoppers are still unable to buy online, it was able to restart contactless payments in store fairly quickly and said customers can now take online order returns to stores.

Chris Burton, head of professional services at Pentest People, also encouraged people to shore up their online security.

“The first piece of advice I would provide is to change your password at the earliest opportunity, ensure it’s complex and do not ‘password share’ with any other logins you may have,” he said.

“This should also be enabled if the online retailer supports multi-factor authentication (MFA). If you are to configure MFA, I’d avoid using SMS based tokens; use an authenticator app.

“If an online retailer has enabled Passkeys, you can use a password manager to generate a passkey which essentially makes your account ‘passwordless’ – the passkey is a unique ‘key’ which is used to validate the user, it doesn’t require any keying of passwords and won’t store a password that could be potentially harvested.

“I would always discourage from saving your payment methods with providers; this is a common feature, and although there are security precautions in place with these types of things, I’d personally sooner not run the risk.

“Keep an eye on your personal information and things like credit files. If your personal details are harvested from a compromised source, there is the opportunity for impersonation. You may get an increase in spam calls claiming to be from various companies such as Amazon or other high-end retailers.”

Additional Reporting By Martyn Landi, PA Technology Correspondent