M&S shoppers have been placed on high alert and advised not to change their passwords, but rather to “stay vigilant” against email scams after the retailer was hit by a cyber attack. Customers who have made online purchases from Marks and Spencer should exercise caution, experts have warned.

Matt Hull, Head of Threat Intelligence at cybersecurity firm NCC Group, warned: “Despite the absence of financial data or passwords, threat actors could potentially use the stolen information to launch targeted social engineering attacks. Stay vigilant for phishing messages pretending to be from M&S or other companies you’ve dealt with. These attackers might use the leaked M&S information to craft very convincing scams. Cyber criminals are also likely to sell this data on the dark web as well, putting customers at even more risk.

“If you’re unsure about an email’s authenticity, don’t click any links. Instead, visit the company’s website directly to verify any claims. This extra step can protect you from falling victim to phishing attacks.”

Stuart Machin, chief executive of M&S, reassured customers in a social media post.

He said: “We have written to customers today to let them know that unfortunately, some personal customer information has been taken.”

“Importantly there is no evidence that the information has been shared and it does not include useable card or payment details, or account passwords, so there is no need for customers to take any action.

“To give customers extra peace of mind, they will be prompted to reset their password the next time they visit or log on to their MandS account and we have shared information on how to stay safe online.”

Closed Door Security chief executive William Wright advised M&S customers to remain “highly cautious” of all email correspondence following the incident, as this is likely how criminals would target individuals.

“Don’t send personal information over email, treat phone calls relating to the breach with caution, and if an email does come in requesting information, don’t hit reply, instead, contact M&S via the email address on its genuine website to verify its validity,” he further cautioned.

Chris Burton, head of professional services at Pentest People, suggested enabling multi-factor authentication (MFA) if supported by the online retailer, advising against SMS based tokens and recommending the use of an authenticator app, reports Birmingham Live.

He said: “If an online retailer has enabled Passkeys, you can use a password manager to generate a passkey which essentially makes your account ‘passwordless’ – the passkey is a unique ‘key’ which is used to validate the user, it doesn’t require any keying of passwords and won’t store a password that could be potentially harvested.

“I would always discourage from saving your payment methods with providers; this is a common feature, and although there are security precautions in place with these types of things, I’d personally sooner not run the risk.

“Keep an eye on your personal information and things like credit files. If your personal details are harvested from a compromised source, there is the opportunity for impersonation. You may get an increase in spam calls claiming to be from various companies such as Amazon or other high-end retailers.”