Fake Action Fraud Tech Scams
Warning of Scammers Pretending to Be Calling From Action Fraud.
Boots has suspended payments using loyalty points in shops and online after attempts to break into customers' accounts using stolen passwords.
Customers will not be able to use Boots Advantage Card points to pay for products while the issue is dealt with.
Boots said none of its own systems were compromised, but attackers had tried to access accounts using reused passwords from other sites.
It comes days after a similar issue hit 600,000 Tesco Clubcard holders.
A spokeswoman for Boots told the BBC the issue affected less than 1% of the company's 14.4 million active Advantage Cards - fewer than 150,000 people.
But it could not give an exact number as the company was still dealing with the problem.
No credit card information had been accessed, they said.
Suspending payments using points removed the risk of hackers stealing the points to spend themselves, the spokeswoman said.
Customers can still earn points when making purchases, and Boots hopes to have point payments back up as soon as possible.
The Boots Advantage card lets shoppers collect four points for every £1 spent, and each point is worth a penny. For example, a card with 200 points could be used to pay for an item worth £2.
But the points can also be used when purchasing items online.
So-called "password stuffing" happens when an attacker uses a list of compromised usernames and passwords from a previous data breach.
They then try to log in to a different website, hoping for a match.
Because many people use the same email and password combination for several websites, some of the combinations on the compromised list might work.
In Tesco's case, the supermarket giant told customers it believed that a compromised list of usernames and passwords had been used to try to gain access to its customers' accounts - and it may have worked in some cases.
It said no financial information was accessed, and it had restricted access to the accounts to prevent fraudulent use.
Boots said customers could reset their passwords online, and should choose a unique password not used on other sites.