Sam's Club, owned by Walmart, is an American chain of membership-only retail warehouse clubs operating since 1983. Over the past two weeks, Sam's Club has started sending automated password reset emails and security notifications to customers who were hacked in credential stuffing attacks.
Possible credential stuffing or phishing
In emails sent out to Sam's Club members, the company is alerting members that an unauthorized party may have gained access to their accounts.
This activity, detected by Sam's Club in September, did not stem from a data breach. According to the company, it was likely a result of the attackers already knowing the user's credentials—for example, via credential stuffing, data breaches, or phishing.
Credential stuffing attacks involve the attackers trying previously leaked username-password combinations against another website in an automated fashion, in an attempt to find accounts that share the same credentials.
That is one reason security professionals strongly advise against using the same username-password combination across different websites. Should one such website be compromised, the attackers would now be able to re-use the leaked credentials on others as well.
"We recently learned that, in mid-September, an unauthorized party used your login credentials (email address and password) to access your Sam’s Club account. Based on our investigation, the credentials used did not come from Sam’s Club," read the security notification.
"Instead, it is likely that your credentials were taken from another source, for example, another company’s website, where you may have used the same or similar login information," the email continued.
However, it is not clear how it became possible to gain unauthorized access to Sam's Club member accounts. Assuming the credential stuffing technique was leveraged as an attack vector, were there no automated rate limiters or security controls in place?
Cybersecurity challenges continue to grow as the attackers constantly evolve their tactics, and defenders continue to catch up in stepping up their game.
At Vortexshield we will keep your computer safe from hackers, malware and keep it patched, but users still need to be vigilant about having good passwords, not reusing them everywhere, and having 2factor security whenever possible. Learn more at https://vortexshield.com