Abo
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten

Points theft in supermarkets: Cyber criminals steal Rewe bonus points

Crooks are currently stealing credit from a bonus app and selling it on the market using a shared collection function. What's behind the scam.

Save to Pocket listen Print view

With the Rewe bonus program, customers collect points - which can fall into the hands of criminals.

(Image: Rewe)

9 min. read
Security
By
Contents

Customers use bonus apps to secure discounts when shopping and can turn the points they collect into cash. Now cyber criminals are targeting the credit balances of Rewe customers and using voucher cards to turn them into money. Rewe has ruled out a security gap - apparently weak passwords and phishing are to blame for the theft of points instead.

Bonus programs for loyal customers are a must for grocery stores: practically every discounter and supermarket chain offers an app with discounts and loyalty points or participates in the cross-brand Payback program. The latter's star sank when the retail group Rewe withdrew all its stores at the end of 2024 and opted for its own program called Rewe Bonus. Members of Rewe Bonus collect points when they shop and can offset the credit they collect against their purchases – saving them money. The Rewe Bonus program also offers the option of sharing the bonus credit with a second person, such as a partner or roommate. Both collectors can then use the full balance and not just the portion they have contributed themselves.

In mid-February 2025, several defrauded Rewe customers complained on the internet platform Reddit about a scam that always works the same way. Their Rewe bonus account was linked to the account of a stranger via the "Collect together" function, the entire balance was paid out in a Rewe store and used to purchase a Paysafecard, for example. Such cards are untraceable and can easily be turned into cash on the black market.

The theft of points often took place within a few minutes, so that the victims were unable to react. They were also not in the vicinity of the Rewe supermarket where the payout took place. In the course of our research, more than a dozen victims contacted the heise editorial team within a few days; the Spiegel editorial team was also in contact with several victims. So this was not an isolated case.

Security gap, data leak or trial and error?

The approach of the criminals, who almost without exception exploit the function for collecting points together, made us curious. Like our whistleblowers, we also suspected that there could be a security vulnerability in the Rewe app or a data leak at the retail chain.

We were particularly curious about the mechanism for inviting a collection partner. If a Rewe Bonus member enters the email address of the desired partner in the app or on the website and presses the invite button, the Rewe system generates a unique identifier (UUID) for the invitation process. It sends the invitee an invitation link with this UUID. However, a simple click on the link is not enough. According to our tests, the invitee must be logged in and confirm the invitation with no fewer than three clicks in the app.

Rewe-App: Einladung zum gemeinsamen Punktesammeln (5 Bilder)

Schritt 1: Wunschpartner in der App einladen

Zunächst lädt ein Rewe-Bonus-Mitglied seinen Wunschpartner über die App ein. (Bild:

heise security / cku

)

Accidentally clicking on the invitation link via an email scanner or similar mechanisms was therefore ruled out. Annoying: The Rewe systems inform the inviting party whether their desired partner is participating in the bonus program – so only e-mail addresses can be verified, but also their participation in the bonus program.

But our attempts to outsmart the API calls underlying the invitation system (for nerds: a RESTful API with correct use of the verbs GET, POST, PUT, DELETE, exemplary!) also failed: Apparently nothing works without logging in. As we are neither commissioned nor competent enough to pentest the Rewe app, we asked the company's press office what the point theft was all about.

Rewe denies security problems

The Rewe press department denies a data leak or security vulnerability in clear terms. "The facts described on Reddit are not based on a gap or leak in our system, rather the fraudsters continue to rely on phishing and data collection on the dark web," Rewe spokesman Thomas Bonrath told heise Security. Victims of the points scam should file a criminal complaint. "As soon as the investigating authorities contact us with a file number, we will support the investigations as best we can," promises Bonrath.

We are also happy to help those affected to secure their account against unauthorized access by resetting their password – users can also use two-factor authentication for the app and website, the Rewe spokesperson continued. In fact, several victims had contacted Rewe customer service, who were already aware of the scam. Some told us that they had been refunded the stolen credit as a gesture of goodwill, while others were less fortunate.

Nothing is "worthless" for cyber criminals

So apparently it wasn't the Rewe servers that were broken into, but the accounts of the affected users. The cyber thieves logged in with their access data and then invited their accomplices to collect points on behalf of the victims. On this occasion, the attackers were also able to view and copy address or purchase data, which they could later use for plausible phishing attacks.

In fact, the explanation that criminals simply tried out access data or captured it in some other way is as obvious as it is realistic. In the belief that access to a bonus app is not as valuable as login details for online shopping, for example, users often assign weak passwords or use them multiple times. In addition, one victim told us that she frequently had to log into the app again at her local Rewe supermarket. A long, complex password is difficult to enter on the smartphone keypad.

Well-chosen passwords that are only used for one service are the best protection against phishing and identity theft, as the Rewe example shows. Users should not assume that their points balance is of no interest – even small amounts are attractive to cyber criminals. After all, they run their business on an industrialized scale, exchanging and selling access data among themselves and using every opportunity to turn it into money.

Anyone using supermarket apps should therefore also observe the most important basic rules here:

  • Use long, sufficiently complex passwords
  • Do not use passwords more than once
  • Use a password safe that is also available as an app (such as Bitwarden)
  • If possible, activate two-factor authentication or passkeys

This reduces the risk of phishing and data leaks also lose much of their horror. However, changing your own passwords regularly without a specific reason is not recommended, as heise security repeatedly explains on the occasion of the change-your-password tag.

Combolists from data leaks

If you search the darknet and relevant chat rooms for stolen access data, you will quickly come across so-called "combolists". These lists, usually simple text files, contain access data in the form user name:password. The data often originates from infections with Infostealer malware –, i.e. specialized malware that steals identifiers from browsers and password safes. The criminals also collect access data in data leaks and cyber attacks, which they exchange with each other in combolists.

We found several of the Rewe victims in such combolists, while others found their password for the Rewe app on the "Have I been pwned" service run by Australian Troy Hunt. The most likely explanation for the points theft is therefore that unknown criminals are trying through masses of access data until they find what they are looking for in Rewe customers.

However, an uneasy feeling remains – both for those affected and for the security-minded editor. Several victims assured us that they had used secure passwords that were only used in the Rewe app or even the two-factor authentication system used by Rewe. Whether the criminals found a backdoor in the Rewe app or whether a – possibly undetected – malware infection is behind this remains unclear for now. It is also a mystery how the criminals got past the blocks built in by the Rewe developers to prevent access data from being scanned. Are they exploiting a vulnerability in the Rewe system or are they using VPNs, botnets or residential proxies?

Are you affected? Write to us!

Are you also affected by points theft at Rewe? Write me an e-mail at cku (at) heise.de!

By the way: Many heise-investigativ investigations are only possible thanks to anonymous information from whistleblowers.

If you have knowledge of a grievance that the public should know about, you can send us information and material. Please use our anonymous and secure mailbox.

https://heise.de/investigativ

In any case, users should always use secure passwords if they do not want to lose their points balance or other virtual valuables.

(cku)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Spiele

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten