A list of thousands of usernames and passwords was posted by hackers on a text-sharing website yesterday.
It is thought the data was taken from other websites in high-profile security breaches and used to access Tesco.com customer accounts to steal Clubcard points, with 2,239 hits where the same usernames and passwords were used.
But only a "handful" of people are understood to have actually suffered theft of their Clubcard vouchers, as secondary security information was needed to fully access the accounts.
Tesco has now deactivated the affected accounts as a precaution and is contacting all customers impacted, pledging to reimburse those who have lost out.
The group said it was "urgently investigating" the security breach.
It added: "We have contacted all customers who may have been affected and are committed to ensuring that none of them miss out as a result of this.
"We will issue replacement vouchers to the very small number who are affected."
It comes after Tesco is said to have accidentally revealed hundreds of customer email addresses earlier this week when apologising for a pricing error.
The group is believed to have included all recipient addresses in the 'to' field, which meant they were seen by all those receiving the message.
Tesco was also hit by theft of customer Clubcard points in 2013, when hundreds of people reported their loyalty card accounts had been accessed.
It is understood hackers used phishing emails to gain login details.