After experiencing low level fraud at walmart.com firsthand, I went digging for a reason why. After making my way through the mud that is Walmart customer service, I encountered thousands of accounts being sold online for as low a dollar.
The hackers sell off the lower value accounts on deep web marketplaces. While searching just one online marketplace, we were able to find thousands of stolen accounts. Some had already been sorted to explain their value in the item description. A fraudster can buy accounts that have saved credit cards, gift cards, and zero balance accounts.
The low level fraudsters usually purchase an untraceable item. In my case, it was PlayStation gift card delivered by email. It’s the perfect item to purchase with a stolen account. It can easily be resold online for near face value with no ties back to the victims.
One disappointing fact is that Walmart doesn’t care about their customer’s security. A person in China can login to a US customer’s account and change the email without any further verification. Walmart’s terms of service state that they are not responsible for maintaining account security.
After speaking with some Walmart employees, I learned that the email address for my account had been changed to a temporary email service. It allowed us to recover the account by using the public email address. The address on the account had been changed to a hotel in another state. We attempted to call the fraudster but the hotel front desk didn’t have any guests by the name on the account shipping address.
Finally, when trying to change the account password to a more secure one, we encountered an error about password length being too long. According to security professionals, this is strong indicator that passwords are being stored using plain text. Meaning a person with the right access can login to any account. We encourage everyone to delete all stored cards on walmart.com for their own security.