Over the past couple of days, Walmart users have been seeing unsolicited password recovery emails pop up in their inboxes. There’s clearly something fishy going on, but it doesn’t seem to be a simple hack: it’s likely the precursor to an ambitious phishing attack on Walmart.com users.

Speaking to BGR, a Walmart spokesperson confirmed that there’s an increase in password recovery emails, but doesn’t think that any accounts have been compromised — yet. Instead, Walmart thinks that a hacker is using Walmart’s password recovery system to prepare for a future phishing attack.

DON’T MISS: The only bad cell company is Sprint

Walmart’s password recovery system is like most others: input an email address, and it sends a recovery code to that email address. But unlike some others, Walmart’s system confirms or denies whether there’s a Walmart.com account associated with that email.

“The hackers are likely using the system to validate emails, confirm whether they have a Walmart account,” a spokesperson said. “They are probably preparing for a future phishing attack.” Once the hacker has verified that an email address does have a Walmart account, they can create an email purporting to be from Walmart, telling the user to click on a link and log in with their ID. If they do that, the hacker will have captured their username and password, and be able to access the Walmart account.

Dimitri Sirota, CEO of data security firm BigID, agrees with that theory. “Phishing attacks are very successful, since people are so inured to the possibility of being breached.” Using the password recovery system to validate emails is a common technique, either to prepare for a phishing attack, or to verify the validity of data dumps bought on the Dark Web.

Seeing the groundwork for a phishing attack being laid is worrying, but the steps for customers to remain safe are simple. Sirota says that he “very rarely click on a link in an email” — you’re much better off going to a website directly, and logging in through there.

Walmart’s spokesperson also emphasized that it’s “very unlikely” that any user accounts have been breached so far, and all customers need to do in the future is remain vigilant. If you’re particularly concerned, you can change the email address and password associated with your Walmart account.

View Comments