According to hundreds of reports on social media, people across the US have been receiving password reset emails for their Walmart.com accounts, indicating that someone is trying to access those accounts and change the password.
This appears to be some kind of mass hacking attempt, although success appears to be limited for now.
The emails come from a legitimate Walmart.com email address, so it’s not a traditional kind of phishing scam, which encourages customer to click on a link to an external site, where they are tricked into giving up their login info to hackers.
Instead, the email people have been receiving is a password reset email. If you forget your password, you can click on the “Forgot your password” link. If a legitimate email is put in, you get a password reset code emailed to that email. Take the code, input it into Walmart’s site, and you can change the password.
It’s unclear exactly how this hack works, but there’s some good guesses. The password reset emails appear to be unlimited, so it could be as simple as a (very low-probability) brute-force hack. There could be some flaw in Walmart’s system, which hackers can take advantage of at scale. It might involve using compromised email accounts. Hey, it could just be a bored hacker who noticed the lack of rate limits, and decided to spam people.
Again, all of this is speculation. But what’s clear is that there’s a widespread attempt to take control of customers’ Walmart accounts (or crash Walmart’s email server). Until this is resolved, it’s probably a good idea to change your Walmart password (and possibly the email on the account!), and keep an eye on your credit card.
We’ve reached out to Walmart for comment on this story.