Warning: My Walmart.com Account Was Hacked!
A few hours ago I was sitting at my computer when an interesting email came through. It was Walmart thanking me for my order. My first thought was that my wife must have seen a deal at Walmart. My mind then immediately went to thinking about whether or not she used a portal. (Sometimes she conveniently “forgets”!)
Of course, out of curiosity I opened to email to see that someone had ordered a Samsung Note 2. Better yet, the delivery address was in Ohio. As you can see from the screenshot below, they left my billing address and payment information the same, but just changed the delivery address.
And the new shipping address.
Since I had seen this email almost right away, I quickly went online and tried to cancel the order. After finding the correct screen I clicked “cancel” but then was given an error. I decided it was time to call Walmart to have my account shutdown. While Walmart’s phone tree is terrible, I kept pounding “0” and reached someone.
After explaining my situation, the Walmart rep verified my information and told me he was going to place me on hold while he spoke to his supervisor. Just as he placed me on hold, another order confirmation came through. This time the scammer ordered a cheaper Android phone.
The rep had me on hold for awhile, so by the time he came back I had also received a fraud alert from American Express. Apparently he had also tried to place another order for $967.35. I hadn’t had a chance to call Amex yet since I was still on with Walmart, so I was happy to see the fraud alert email. By clicking that the charge was suspicious, I had effectively shutdown the credit card so this person couldn’t place any more orders.
In the mean time, the Walmart rep came back on and off the phone several times while he worked to completely delete all payment information and shut down my account. At this point my wife starts calling because American Express was calling her asking about the suspicious activity. Oh and did I mention that Friday’s are daddy day care day so of course the baby had to wake up from her nap and start crying!
Eventually I calmed the baby down just as the rep completed the shutdown of my Walmart account. I then quickly called my wife and then American Express to make sure they issue a new card just in case. Walmart claims all of the orders were cancelled, so by quickly seeing the email and calling, I prevented any charges from actually going through.
I don’t normally purchase anything at Walmart.com, however I did buy gift cards there last year during an Amex Offer. While I normally never agree to save payment data on an account, apparently that somehow happened at Walmart. The card used to place the orders today was the card stored on my account. In other words, my credit card number wasn’t stolen, but instead my Walmart.com account was hacked.
It is a terrible idea to store payment data on an online account. Apparently Walmart is supposed to ask for the 3 or 4 digit security number for stored payment data, but they didn’t seem to do that. Also, you would think when someone changes the shipping address to a different state, Walmart would at least verify some information. I know Amazon requires the entire card number be re-entered when you add a different shipping address.
For those who are wondering, the shipping address is for a company called Borderlinx. They act as a middleman for people shopping on U.S. or E.U. based websites. Customers in foreign countries use the Borderlinx address for shipping and then the company accepts the packages and sends the merchandise overseas. At this point I am not going to pursue this further with Broderlinx, but both Walmart and Amex have the shipping address information if they wish to.
What You Should Probably Do
I suspect there are quite a few of you with an Amex card stored on a Walmart.com account. You may also have Amex cards stores on your Sam’s Club account from the recent deal. I urge you to delete these items, since that data doesn’t seem to be secure if your account is hacked. At Walmart you can delete them by going to “My Account” and “Credit Cards”. Sam’s Club stores the info under “My Account” and then “My Payment Settings.”
This is probably a good reminder that it is never generally a good idea to keep payment data stored with a company. While some company’s like Amazon do a good job of it, others like Walmart apparently don’t. I will continue to keep my payment data stored with Amazon because I trust their security a little more, but I plan to check accounts from several other retailers to see if payment data was stored accidentally.
In the end, I lost about an hour of my time dealing with this, but I did get some satisfaction knowing that this scammer won’t be getting his merchandise. While I wouldn’t have been responsible for the charges either way, it still feels good to know that Suratno Nano or whoever he is won’t be receiving his packages addressed to Shawn Coomer!