It seems some oddness is afoot at Walmart. A number of people have reported receiving unprompted password recovery emails from an address that originated with the retailer.
This afternoon, Gizmodo received a few tips about emails like this from Walmart. Our tipsters provided us with some screenshots of the messages:
Meanwhile, if you search “Walmart password reset” on Twitter, it becomes clear our tipsters aren’t the only ones..
It seems most people only received one or two messages, but one unlucky dude received more—over a thousand in the space of about an hour and a half, he said.
“I was awoken half way through due to my phone vibrating every few seconds with a new email,” Josh Oakes told me in an email. “I do web development myself so I find it very insecure there is no limit to how many password reset codes someone can generate especially since they can be as simple as a 4 digit code.”
The sender on the emails is listed as firstname.lastname@example.org. When reached by phone, a Walmart spokesman confirmed that it was a valid Walmart address, and that the emails themselves were legitimate. If you click through the links in the emails, they take you to Walmart’s actual website.
One of our tipsters told us that he bought something through Walmart’s website in May, but he never set up an account. He said that his wife also received an email, though she didn’t remember ever creating a Walmart account, or even buying anything from Walmart’s website.
The other tipster told us the account through which he received the password reset email had been involved in a previous data breach, a claim backed up by searching his email address in the HaveIBeenPwned database.
Some of the puzzled people out there warned the emails were part of a phishing scam, but Walmart’s spokesman told Gizmodo this didn’t appear to be the case—instead, the company believes someone was simply using Walmart as a way to check whether certain email addresses were valid.
“Someone likely obtained a list of email addresses, and used software to validate whether an address exists,” the spokesman said. If the attempt was successful—in other words, if the person received a notification that a password reset email was successfully sent to the address—then he or she now knows it’s a valid address.
“They might [then] use it for phishing scams,” the spokesman suggested, but he confessed that “we don’t now for sure why” it happened. He added, “it’s unlikely that a customer’s walmart.com account has been comprised.” The spokesman wouldn’t confirm how many email addresses were involved in this bizarre situation, but said the company was still monitoring the situation.
While Walmart’s theory sounds plausible, the fact that users who don’t even have Walmart accounts are claiming to have received emails throws a kink into this theory—which in turn suggests that no one really knows what the hell happened for sure. If you input an email address that’s not associated with an account into Walmart’s forgotten password form, nothing happens.
It’s possible the email addresses could have been obtained in a previous data breach, and the messages could be an attempt to get ahold of a user’s login information, or it could simply be a bored hacker who wants to spam a good number of people. In any case, if you received an email, it’s probably a good idea to keep an eye on your credit card statements—or better yet, change your password.