Thursday, April 25, 2013

My Walmart account was hacked

Summary: Lessons from my Walmart account hacking incident.
Out of the blue, I get an email from Walmart:
Dear Alek Davis,

Personal information associated with your Walmart.com account - name, email address and/or password - has been successfully updated as requested. If the account change included an update to the email, for your added security this account update confirmation is sent to both the new and old email addresses. All future emails will be sent to the new address only.

If the account information update is correct, no further action is needed.

If you did not make these changes to your account, please call us immediately at 1-800-966-6546.

If you have any questions, please reply to this email and let us know how we can help.

We appreciate the opportunity to assist you and look forward to your next visit.

Sincerely,

Your Walmart.com Customer Service Team
I try to log on to my Walmart account and fail to authenticate. I attempt to use the I Forgot My Password feature, but get a message stating that my email address is not registered with Walmart. It's obvious: someone hacked my Walmart account!

I call the above mentioned 1-800 number, but the customer support department is closed (it's around 10 PM PST, but apparently, the world's largest retailer cannot afford 24x7 customer support). There is no option to report the problem online. What's a girl to do?

The best thing I can do is send an email reply describing the problem. I get a canned response indicating that I will get a human response within 24 hours. Okay, what's next?

Results from a quick Google search suggest that a common pattern of Walmart hacking involves using saved credit card data to purchase digital goods. So, I log on to my credit card's account (for the card that I normally use at Walmart.com) and see two unauthorized transactions: one in the amount of $60 (turns out to be 2 Straight Talk 1000-Minute, 1000-Text, 30MB Web Access Service Cards), and another in the amount of $50 (2 SKYPE $25 Prepaid eGift Cards). I call the credit card company to report fraud. I also checked other credit cards that could've been on file with Walmart, but do not notice anything suspicious.

I try logging on to Walmart.com again, and notice a strange address popping up in the email field of the Sign In form for a second just before it is overwritten by my original (and no longer good) address filled in by LastPass. Apparently, I have a low-security personalization cookie, that is not good for anything important (like checking or changing account info, or submitting orders), but it could give me some info about the hacker. I disable LastPass and reload the form. Get the email field populated with this address: ssuper981@yahoo.com. Hello, hacker. How're you doing?

Silly idea: what if I try to log in with my original password? The hacker can't be that careless, but... One... two... three... I'm in! Dear, ssuper981@yahoo.com, thank you for failing Hacking 101. I change my email address back, change the password, and remove all credit card info from the account. I see the two orders in the processing state, and successfully cancel one of them. I use a form to send an order cancellation request for the second purchase, but apparently the Skype eGift cards have been already sent. Well, it's now between Walmart and my credit card company to dispute the charge.

What else can I do? I go to the Yahoo! Security Center and try to find an option to report fraudulent activity coming from a Yahoo! email, but Yahoo! does not provide any way to do this (via a form, email, or phone).

The next morning, I call Walmart (thank God Walmart can afford customer support during normal business hours) to report the incident to a human and have a short conversation with a nice woman (btw, have the companies started bringing customer support back from the foreign lands? talking to a motivated native speaker is so refreshing!). Now, it's time to get back to life, but first, lessons learned:
  1. Never save credit card information when shopping online! Yeah, it's convenient, but may eventually cause more hassles.
  2. Read #1.
And a couple of comments:
  • Walmart: No 24x7 customer support? Seriously? Even for security issues? Come on, you can do better!
  • Walmart: Good call on sending notification to old customer's email on personal profile changes. Have I not seen this message, it would have taken me much longer to realize that my account was hacked.
  • Walmart: Shouldn't user activity that starts with personal profile (and email) changes and is followed by an immediate purchase of digital goods raise a flag for suspicious activity? I know that you rush to get a payment, but you see: you lost $60 (which could've easily been $110), and I'm sure you need that money to hire more support people (at the very least, for security related issues).
  • Yahoo!: Would it be too much to ask for some way of reporting fraudulent activity originating from a Yahoo! email account? Just asking.
Have a nice day, everyone. Be safe!

41 comments:

Chaz Pebble said...

Wow! Thanks for posting this. It's just happened to us. Luckily our checks hadn't gone into our account and the hackers bounced my bank account! Our bank caught it... Walmart did not! They shut down our account after non-payment from our bank. After calling them... Walmart's answer? Open another account with us... WE DONT THINK SO!!!!!!!!

Alek Davis said...

Wow! Just, wow!

bayou said...

My WalMart account was hacked earlier today (2am) and 2 iphones were charged to my visa. Luckily I received an email thanking me for my purchase and was able to cancel b4 they shipped. WalMart rep was not very sympathetic or helpful when I reported my account was hacked.

JDP said...

My Walmart Acct got hacked a few days ago. I think Walmart must have had a major breach of their security. This appears to have happened toa lot of people recently and continues to keep happening.

JDP

K said...

I got the "your account information has been updated" email tonight after randomly checking an old email account. I called walmart, well past 10pm EST on a Sunday night and was put on with a live customer rep (maybe they've changed their 24/7 policies?).

He was very kind and helpful, asked me a few things to verify my account, and told me that a handheld calculator had been ordered. He cancelled the order and removed any saved payment information--he even asked if I might have an account with my more used email and he removed sensitive info from that account as well.

He also let slip the email address that my account was changed to, so I did what you did and tried signing into the account with the old password, and like you, it worked. I changed back the email and made the password more complicated.

So far, no charges have been made to any of my bank accounts or credit cards, but luckily, this email address is so old, any saved account info on the walmart site was likely expired and/or had the credit card number changed since I last visited.

Ugh. I'm angry that walmart's security seems so lax considering how many times this is happening to people, but I will say that their customer service rep was very kind and helpful, so there's that.

Alek Davis said...

It's nice you were able to get hold of a live person. And agreed: Walmart security seems a bit lax considering so many hacks.

Iceman said...

I had the same thing happen to me a few weeks ago. I called my credit card company and before I had Walmart.com out of my mouth they said "Sir this is a huge problem, we will take the charges off and issue you a different card" My solution. NO MORE WAL MART!

Health.Nut said...

I just got the email "confirming" the changes to my walmart account. CS rep. friendly, but unconcerned. Changed password, and cleared other changes (name, address and email), but couldn't close account (on administrative hold...). Unwilling to pursue perp. Problem must be HUGE! Sounds like major compromise.

Jim Vander Mey said...

THis is still going on.. I found the phone number on a different site. (good luck find the phone number) it is 1 800 966-6546. When I politely asked the operater her her name an employee number she said she was only allowed to give out her first name. So I asked for here dept and what city she was in. Denied! She could not guarantee that this bogus purchase would in fact be Cancelled! I asked to talk to supervisor...Denied! at the end. she said stay for the survey. I stayed. Computer asks me if I am satisified with the customer service hit 5, if not hit 6. I hit 6 it says. "Thank you, Goodbye"

Eldnim said...

It worked - thanks

The Kidds said...

This just happened to us- thank heavens for the email notification from Walmart as I had not used my account in over a year...no orders were placed but likely bc my cards on file were probably expired. Seems like a huge problem....

KimT said...

My Walmart account was just hacked. I got the changed info email. However, they added new card info, different billing name and address and had the $170 item shipped as a gift to another address. I called Walmart and told them their system had been hacked. It took some convincing.

Tiffany Warrick said...

So GLAD you had this posted. They hadn't changed my password, but they did order 2 phones or something, but that means they stole someone else's card info cause mine was expired. Good for me, bad for someone else. Walmart is having some serious security issues, tried to call but after waiting an hour to get a person on the phone I decided it was fine that my info was changed and I wont be ordering from Walmart.com ever again.

Jeffrey Holland said...

Thanks for the info. My walmart account was hacked early this morning and if it wasnt for the emails I received, I would not have known so quickly. I called walmart and reported it and had all credit card info deleted. I had to open a completely new account.

TLO said...

WOW, is all I can say. My account was hacked yesterday by Sam Anon, email address:imexploit@gmail.com and a cell phone #317-800-2999 (so Walmart can text when the Play Station 4 is ready to be picked up in their home town of Indiana (I will on the west coast) Search of cell phone indicated a residence on W 18th and Winfield Ave., in Indianapolis, IN. I found out my Walmart account was hacked when my credit card company fraud department called me. I logged into my Walmart account to see who had hacked my account and cancelled the order for a Play Station 4, deleted my credit card info and changed my password. I spent the next 20 minutes changing all my passwords and thought every thing was taken care of. Check my email this morning to find an email from Walmart advising my password had been changed at 5:54 am and I still had items in my cart, REALLY? Tried to log in and was blocked. Pushed the button for forgot my password, entered email and found my email address did not exist......humm. Called Walmart to shut my account down and spoke with Customer Service representative who just laughed and said those hackers have a way of getting in. I thought about telling him he might want to rewind that answer, and decided any comment would be a further waste of my time. Simple answer from me; Please shut my account down and put a fraud alert for future attempts....

I did an internet search for topic and found you. Thank you so much for posting your experience. Any other words of wisdom to a digital immigrant like me?

TLO

Alek Davis said...

TLO, I wish I could share some words of wisdom, but the only ones I have would be addressed to Walmart (and they would include a lot of swear words). :-)

Tom Coshow said...

That was really bad! It's a good thing you managed to change your email address and other necessary details, and you even had the other transaction cancelled for that matter. Otherwise, you would've been stuck with those fraudulent charges. Anyway, I think most companies have customer support services 24/7, but I guess WalMart isn't one of them. Fraudulent cases like yours can happen at any time, and it will be really helpful if the victims could report such incidents immediately. Thanks for sharing!

Tom Coshow @ TeleDirect

John/STRATCOM said...

I just had the same thing happen, did an Internet search and found you blog which was very helpful. Immediately called Wal-Mart (fortunately it was early enough and they were still open) but had to wait 25 minutes for customer service and they verified that my email had been changed by someone and a stored credit card info was taken. There were no orders placed with Wal-Mart and I also called the credit card company and no new activity there and they have fraud watch. Now I'm not storing credit card info anymore! The strange thing is that the hacker changed my email twice in one hour (several hours ago) and they haven't placed any orders using the credit card so maybe I'm just lucky. Thanks again for your blog post, it helped a lot!

Alek Davis said...

That's a bit weird, but I'm glad you resolved it quickly, John.

kalyan kumar gudivada said...

Exactly happy same thing to me today, morning i woke up and see walmart account information updated and could not logon to walmart.com any more.

luckily i have signed up credit card alerts on email, 3 walmart.com purchases 452, 257, 157$ etc.

1. called amex and reported stolen card information, will get new cards

2. called walmart.com number press 3 then press 5, rep deleeted all card information and gave new password to reuse my account in 24 hours

I am glad i have seen emails before items are shipped.

John/STRATCOM said...

The day AFTER I posted the hackers did try to make a purchase, a cell phone for more than $300 but I had already removed credit card info from the Wal-Mart account so the purchase couldn't go through but the phone was still sitting in the shopping card. Fortunately the hackers were too slow on trying to make a purchase or they were just not very smart.

Barry Love said...

Wow my Walmart account got hacked the funny thing was that they used an old card for the order but still were somehow able to complete the order?

Zing4 said...

It would be useful if the comments here were listed as most recent first.

My Walmart account was hacked on May 14,2015. Stored credit card information was used. They ordered two iPads from Walmart. The Walmart Thank You For Your Order form was what alerted me. The iPads were to be sent to a person I never heard of at 1003 Richland St, apt A , High point NC, 27260. Moments after I got the Walmart form, as I was talking to my credit card company and canceling that card, I began getting quickly increasing numbers of peculiar emails that said in the subject line things like the name of a country(i.e., Ghana), each email was different, followed by a long string of seemingly random letters and ending with the word "confirm" in hypertext. In less than 5 minutes I got over 600 of these emails. The instant the card that had been hacked was cancelled I stopped receiving any more emails like that. Very odd.

John/STRATCOM said...

reply to Zing4 - I didn't get any emails but my hacker was slow in placing an order (several hours) after hacking the account but they did try to get an iPhone but I had cancelled the account by then. I think your experience shows that many of these hackers operate outside the U.S. in places where there is little enforcement (I've had emails from Nigeria, Liberia, and a number of other places in Africa plus Canada) and they also have people in the U.S. working with them to receive the stolen items. Most security people now say NEVER link a credit card to an account and NEVER store your passwords with the company. I immediately changed everything and how I order items after I got hacked recently.

Sheila Owen said...

My Walmart.com account was just hacked into.. I just got off the phone with their customer service, and he cancelled out that account, and he cancelled their order which was made with a Walmart credit card that was cancelled by me over a year ago. How is that even possible? I don't think I had my bank account (debit card) info stored, if I call the bank and let them know this happened, can they do anything to help me?

Alek Davis said...

If you cancelled your credit card but it was successfully used to complete a purchase, you should notify your bank. But at this point, other than making sure your credit card is inactive, you shouldn't need any other help (since your order was cancelled and Walmart account closed).

H2 said...

Just happened to me! Luckily my bank caught it. I called customer support and deleted my Walmart.com account. Now the fun begins of changing all of my passwords (just to be on the safe side).

Motherhood for the Weak said...

I was hacked. At first I thought the email from Walmart was spam because they had my name wrong in the email but then I started googling and poking around and realized I'd probably been hacked.

I quickly shut down my credit card and sent an email to Walmart.com (knowing their customer service wouldn't be open). This morning Walmart sent an email saying they had closed my account.

So I don't believe the hackers got anything. But wow, I almost ignored the Walmart email! Close call!

April Ortego said...

Thankfully I was awake and heard my e-mail notifications going off like crazy last night. I checked the emails and had 3 charges to my account for 2 watches and a PS4. I tried calling Wal-Mart and was told that customer service was closed. While I was on the phone 2 more charges occurred for a 7" tablet and a external hard drive. I logged in to my account and deleted all saved bank information as well as changing my password. I called the local Wal-Mart (waste of time) and asked it they could help which the answer was no. I guess because I deleted my cards at the same time the orders were being placed Wal-Mart cancelled them. I started receiving emails stating that each order was cancelled and upon looking at my bank account online it showed ATM refunds in the amount of $1,264.347. I went to my bank as soon as they opened and cancelled my cards, called Wal-Mart online and had them confirm that the transactions were in fact cancelled. I had my Wal-Mart account deleted and I have been on the computer deleting any and all saved payment information. This seems to be a trend with Walmart.com

pharohwrite said...

my account got hacked but I'd like to see them try to purchase anything because the card recently got updated so therefore the account is useless.

beckylou26 said...
This comment has been removed by the author.
beckylou26 said...

I was hacked on Sept. 13 and they were able to order a laptop for in store pickup in Paris,Kentucky, right after they ordered for delivery a smart phone. As smart as I am I am perplexed how easily they were able to do this. I've checked for viruses ect. Have never given out my password, but yes, the classic stored credit card on walmart.com. I am still awaiting the "fraud investigation" My fraudster used the name peggy toy and the e-mail toy.terri@yahoo.com

b8273bcc-6be8-11e5-b393-13df04f314db said...

I just got the email. I didn't have any credit card information stored there, but they did get the money in the Savings Catcher account.

Because they changed the email address and all the information (phone, billing address), the (very nice) lady I spoke with had a hard time finding my account, but she tried something else (I'm not sure what) and was able to find the account and confirm that the account was hacked and that they got that Savings Catcher money. She was able to close the walmart.com account for me as well and confirm that I didn't have any credit card information in there. The only purchase was a gift card for what was in the Savings Catcher.

I'll be calling the Savings Catcher group in the morning to make sure that is closed as well.

I don't know what time Walmart.com Customer Service is open until, but I was able to speak with someone just after midnight Eastern. Savings Catcher opens at 7:00 per the rep I spoke with from walmart.com CS.

Singh1234 said...

My walmart.com account got hacked in the exact same manner on October 13 and hackers used by $ 44 gift card balance to buy a walmart eGiftcard. I added the gift card just a day before. Now I am out of luck as walmart.com is saying that I used a Sams Club gift card so they can not do any thing and Sams club is saying that since this incident happened on walmart.com they can not do anything in this matter.
Any suggestion what I need to do next to get by gift card balance back?

Alek Davis said...

Sorry, Singh1234. I wish I could help you, but looks like you're out of luck. :-(

HockeyFrog said...

Same problem. Do they know your password or do they get in another way?
They depleted $300 from my gift card. When I first called, the rep said you will get your money back, but he said that he had to escalate the problem and they would call me in a few days. No calls. Called again and they said they are still looking into it . Called a week later and they put me through to corporate. This girl Latonya, she wouldn't give her last name , said she can't help me and that I should go to the police. What a load of crap.
I asked for her supervisor and she said they will call within 24hrs. I'm still waiting.

John/STRATCOM said...

I was fortunate the hackers waited almost a day before trying to buy and smart phone and other things. I had already removed the credit card and closed the account so their items ended up in the shopping card and they couldn't charge them. My advice to everyone is NEVER store a credit card or gift card online, especially with Walmart. Walmart is not helpful when these things happen and you end up on the phone forever with them. Make every purchase a one time thing, do not store any info with them online.

Barney Rubble said...

My Sams Club store credit card was hacked on 10/23/2015. Synchrony Bank didn't actually shut my card and account down until later in the day on 10/24/2015. I know that to be true because I last logged into my account at about noon on 10/24 without any problems and it was 6 p.m. on 10/24 when I received an email from Synchrony Bank with the account alert notice.

You would think their system tracked usage better than it does. I don't use my Sams Club or Walmart store cards that often, but here's what's amazing. I actually did use my Walmart card locally on 10/23/2015. I live in the Midwest. A few short hours later, someone is racking up charge after charge on my Sam's Club card at a Walmart store in Garden City, CA. They let 5 or more charges go through to the tune of about $500 all done in one day, and didn't actually shut down the account until later the following day!

Common sense would dictate someone using any credit card, maybe twice in a day at the same store, three times would be over the norm, but five times??? They basically have no security as far as I am concerned. I've never used my card on-line at Sams Club website, so how was it hacked? Someone locally at Sams or Walmart skimming the info from my card? Unless somehow someone got the info from my Sams Club on-line account. Only two ways it could have happened. Or, I guess there is a third possibility...Synchrony Bank itself has been hacked and they just don't know it yet!

They said they were sending new cards and I would have to set up my account again on-line, but you know what? Right now my thinking is to cancel the new cards, my account and my Sams Club membership. Maybe if more people were to do this, they might increase their security.

Wes Stampley said...

This thread was started in 2013, it is 2016 now and my walmart.com acct was just hacked.Any credit card info was expired but they did steal my savings catcher balance and put it on an egift card. I called the number provided but since there is now no account associated with my email they can't find me. They went on to ask me for my CC# to track an old order to verify my account. Wait, what? if there is no account associated with them, how is giving up an old card number going to help? plus, I don't remember my old card number and I'm pretty sure I would have paid it through Paypal anyway as I make a practice of NOT giving anybody and everybody my CC#. 3 years and you haven't fixed this? C'mon Walmart, get it together. I am done with Walmart.com, keep your savings catcher garbage.

Stephanie Morrison said...

Wow this literally just happened to me tonight! I got the email notifying me of some changes that were made to my Walmart.com account and then I got another email saying my egift card information had been resent so of course I figured whoever hacked into my account was attempting to steal my savings catcher money by placing it on a gift card. I only had less than $1.00 in my savings catcher account and any credit card info that happen to be associated with my account was expired and old. I called to report what happened and they told me they would deactivate my account but that I would have to contact the Savings Catcher Dept tomorrow in order to my money transferred over. But I'm not about to be going thru all that over $1.00. Obviously who ever hacked it needed thst $1.00 waaaay more than I did. Smh

Kristin said...

Just dealt with this this morning! My bank texted me asking if I tried to make a $350+ purchase on Walmart.com. I said no, and they promptly blocked my card. Then I get an email from walmart notifying me that my account info was changed. I call them, basically get told that they have no record of the attempted purchase because it was not approved (or something) and tell me to change my password. no concern for the fact that I was hacked. so now I'm off to the bank to get a new card -_-