In the last two weeks, the Sam's club sends alerts security and emails to reset password access, to its customers most likely affected by credential stuffing attacks. Sam's Club is an American company owned by Walmart and has been operating since 1983.
Possible credential stuffing attacks
The company discovered the unauthorized access in September. According to Sam's Club, the attackers already had the credentials of users, through credential stuffing, data breaches or Phishing attacks.
In credential stuffing attacks, attackers try out usernames and password combinations that have been leaked online by other companies. Using the exposed credentials, the hackers can access a Sam's Club member's account (if that member uses their passwords on other sites).
This is why security professionals emphasize the importance of using different credentials on different sites and applications. Using the same credentials on all accounts is dangerous, because if a site has been compromised and its credentials have been leaked users others can also be violated accounts. Criminals test exposed credentials in other applications and may gain access (credential stuffing).
"We recently learned that in mid-September, an unauthorized party used your login credentials (email address and password) to access your Sam's Club account. Based on our investigation, the credentials used were not a breach of Sam's Club", Said the security notice sent to members.
"Instead, your credentials may have been obtained from another source, for example, from another company's site, where you may have used the same or similar login information."He said.
Sam's Club spokeswoman Meggan Kring told BleepingComputer:
"Protecting the privacy of our members is something we take very seriously and constantly monitor for suspicious activity. As part of this effort, we recently found that unauthorized users were linked to specific member accounts".
The spokeswoman said that the unauthorized access did not result from a breach of the company's systems. The attackers already had the credentials most likely from phishing attacks, malware theft of data or breaches of other companies.
"We have reset the passwords for these accounts and are taking additional steps to protect them from fraudulent activity.".
Automatic password reset
All affected Sam's Club members have received security alerts for automatic password reset on suspicion of unauthorized access to the account.
One of the emails sent by the company said:
"Our tracking shows that someone may be trying to take advantage of your account. As a precaution, we reset your password at SamsClub.com. We apologize for any inconvenience this may cause, but we focus on both your protection and your account.".
This prudential monitoring of customer accounts and prompt password reset is very important. Other companies should follow the example of Sam's Club.