ADVERTISEMENT

Tesco coupons easily faked to save £750 on Hotels.com bookings worldwide

Hotels website homepage
Bernard Meyer
Bernard Meyer Senior Researcher
Jul 7, 2020 Updated: 8 May 2026 10 min read

Summary of our results

  • Discount is composed of 13-character codes that use the same first 5 characters, plus 3 numbers consisting of the discount amount (200, 500 or 750), and then a colon, leaving only the 4 last characters to be guessed
  • All possible voucher codes equal more than 4 million possible codes
  • Coupons can save anywhere from £200-£750
  • The coupons are valid for booking from 21/04/2017 to 31/12/2021, and guests can use them until 31/12/2023
  • There are multiple blackhat marketplaces selling this cheat, with some selling a £750 code for just £37.50
  • According to these blackhat marketplaces, coupon amounts can also equal £160, £200, £300, £400, and £500

How the coupon hack works

Tesco Clubcard details on redeeming points for Hotels.com discounts
Tesco’s Clubcard code formula
The special Tesco Clubcard page on Hotels.com
successful booking
message that code already been used
booking confirmation
confirmed booking Hilton Cardiff
successful booking at Kempinski hotel Vilnius
Email message

How the black market is reacting

Blackhat sites selling fake codes
Answers to questions in blackhat sites selling fake codes
message in group on ICQ
ADVERTISEMENT

So who’s losing money here?

  1. Tesco Clubcard
  2. Tesco Clubcard members
  3. Hotels listed on Hotels.com
  4. Hotels.com

Tesco Clubcard

Tesco Clubcard members

Tesco Clubcard support message

Hotels on Hotels.com

Hotels.com loses big

  1. Clubcard members are more likely to activate low-amount discounts than high-amount discounts, since they probably have lower amounts of points. In order to get a £750 discount, members would need to exchange 25,000 Tesco Clubcard points. For £200, that’d be a more reasonable 6,700 points.
  2. People buying fake codes are going to use discounts that will save them the most money, covering at least 90% of the Hotels.com room rate, meaning that they’re most likely to only have the taxes to pay. (This is opposed to cheaters covering only partial costs, meaning Hotels.com would still have some revenue.)
  • 100 stolen codes since launch means nearly £20,000 in lost revenue
  • 1,000 stolen codes since launch means nearly £200,000 in lost revenue
  • 10,000 stolen codes since launch means nearly £2,000,000 in lost revenue
  • 100,000 stolen codes since launch means nearly £20,000,000 in lost revenue

What can you do?

Tesco Clubcard support message
coupon code invalid
  1. Using much longer, less predictable codes with more characters in each space
  2. Generating codes only when they’re created by the customer, if that’s technically feasible
  3. Putting a limit on attempts in the coupon code entry field to stop brute force attacks
ADVERTISEMENT