Sam’s Club customer accounts hacked in credential stuffing attacks

Sam's Club

Over the past two weeks, Sam’s Club has started sending automated password reset emails and security notifications to customers who were hacked in credential stuffing attacks.

Sam’s Club, owned by Walmart, is an American chain of membership-only retail warehouse clubs operating since 1983. The brand is frequently listed alongside Costco and BJ’s Wholesale Club.

BleepingComputer had been closely monitoring these notifications over this period and has heard from Sam’s Club.

Possible credential stuffing or phishing

In emails sent out to Sam’s Club members, and seen by BleepingComputer, the company is alerting members that an unauthorized party may have gained access to their accounts.

This activity, detected by Sam’s Club in September, did not stem from a data breach. According to the company, it was likely a result of the attackers already knowing the user’s credentials—for example, via credential stuffing, data breaches, or phishing.

Credential stuffing attacks involve the attackers trying previously leaked username-password combinations against another website in an automated fashion, in an attempt to find accounts that share the same credentials.

That is one reason security professionals strongly advise against using the same username-password combination across different websites. Should one such website be compromised, the attackers would now be able to re-use the leaked credentials on others as well.

“We recently learned that, in mid-September, an unauthorized party used your login credentials (email address and password) to access your Sam’s Club account. Based on our investigation, the credentials used did not come from Sam’s Club,” read the security notification.

“Instead, it is likely that your credentials were taken from another source, for example, another company’s website, where you may have used the same or similar login information,” the email continued.

Sam's Club password reset notification
Sam’s Club password reset notification sent out October 8, 2020
Source: BleepingComputer

When asked for more information, Sam’s Club spokesperson Meggan Kring told BleepingComputer:

“Protecting our members’ privacy is something we take very seriously, and we are continually monitoring for suspicious activity. As part of this effort, we recently found that unauthorized parties had logged into certain member accounts.”

“This was not a breach of our systems, but rather a case of these parties obtaining user names and passwords from phishing campaigns, planting malware or breaches at other companies. We have reset passwords for these accounts and are taking additional measures to protect the accounts from fraudulent activity.”

“We are reaching out directly to those members who were affected,” Kring told BleepingComputer.

Automatic password resets completed mid-September

Previously, Sam’s Club members had received security notifications alerting them of an automatic password reset due to suspicions of unauthorized account access.

A copy of such an email obtained by BleepingComputer was sent September 24, 2020, to customers and read:

“Our monitoring suggests someone might be trying to take advantage of your account. As a precaution, we’ve reset your password. We apologize for any inconvenience this may cause, but we are focused on protecting you and your account.”

sam's club password reset notifications september 2020
Mid-September Sam’s Club had reset select account passwords citing unauthorized access suspicions
Source: BleepingComputer

More companies should follow Sam’s Club’s lead in proactively monitoring customer accounts and resetting passwords. This proactive protection of customers is especially important with cyberattacks on the rise and attackers deploying credential stuffing attacks that deprive people of COVID-19 relief payments.

However, it is not clear how it became possible to gain unauthorized access to Sam’s Club member accounts. Assuming the credential stuffing technique was leveraged as an attack vector, were there no automated rate limiters or security controls in place?

Cybersecurity challenges continue to grow as the attackers constantly evolve their tactics, and defenders continue to catch up in stepping up their game. 

Source link

Recent articles

Help! My Travel Agency Shut Down and I’m Out $2,000

Dear Tripped Up,Earlier this year, I used STA Travel to book a British Airways flight from Tucson, Ariz., to South Africa, scheduled to...

Bethesda and ZeniMax Sued for Sabotaging Elder Scrolls Skyrim Rival

Rune 2 publisher Ragnarok Game LLC has sued Bethesda and ZeniMax for allegedly helping to sabotage the game’s launch.As reported by PC Gamer,...

Qatar takes first long-haul jets in months with delivery of A350-1000s | News

Airbus has delivered three A350-1000s to Qatar Airways, its first handover of long-haul aircraft to the Middle Eastern carrier for eight months. Qatar received...

Who Won the Debate? Political Observers Weigh In

Grading on a curve, political experts said President Trump did not hurt himself. But they said neither did Joe Biden, and that may...

Smart sensors could track social distancing in the office

PointGrab developed its technology before the pandemic to help workspace managers optimize how employees use office space. About the size of a smoke...

Leave a reply

Please enter your comment!
Please enter your name here