Sam's Club accounts hacked in credential stuffing attacks


Level 75
Content Creator
Malware Hunter
Aug 17, 2014
Over the past two weeks, Sam's Club has started sending automated password reset emails and security notifications to customers who were hacked in credential stuffing attacks.

Sam's Club, owned by Walmart, is an American chain of membership-only retail warehouse clubs operating since 1983. The brand is frequently listed alongside Costco and BJ's Wholesale Club.

BleepingComputer had been closely monitoring these notifications over this period and has heard from Sam's Club.
In emails sent out to Sam's Club members, and seen by BleepingComputer, the company is alerting members that an unauthorized party may have gained access to their accounts.

This activity, detected by Sam's Club in September, did not stem from a data breach. According to the company, it was likely a result of the attackers already knowing the user's credentials—for example, via credential stuffing, data breaches, or phishing.

"We recently learned that, in mid-September, an unauthorized party used your login credentials (email address and password) to access your Sam’s Club account. Based on our investigation, the credentials used did not come from Sam’s Club," read the security notification.
"Instead, it is likely that your credentials were taken from another source, for example, another company’s website, where you may have used the same or similar login information," the email continued.
Read more: Sam's Club customer accounts hacked in credential stuffing attacks