Let me start right away with stating my email itself was not hacked. However, one of my email addresses was definitely used by a criminal and I’m not happy about it.
Here’s what happened.
Saturday afternoon I was working on my computer and went to check my email. I received an email around 1:30 pm saying “Welcome to Walmart!”. This was in my very private email account that I never use for purchases and only use for personal communications.
My email also said I placed an order and then canceled it right away. This wasn’t me.
When I saw the emails around 2pm, I checked my password manager and my current Walmart account uses a different email address. I immediately went to the Walmart.com site and had it send me a one-time-passcode (OTP) to that very private email address.
When I logged in, I saw the account had my name (but it wasn’t my legal name), my private email address, but someone else’s delivery address and the last four digits of a cell number (not mine) and a credit card (also not mine).
It wouldn’t let me change the password or phone number, so I deleted the Walmart account. I looked online and read there were others that had something similar happen over the years.
For a few minutes I thought, “maybe this was innocent and someone had an email address similar to mine.” Then I thought, “maybe my email was compromised,” so I also changed my email password to something impossible for them to recreate. Since it was a google email account I also went into the Google security settings to remove the third-party connections (those connections are created when you use your google account to login to other sites) in case on of those connections was compromised.
Along with removing the third-party connections, I disconnected all the other devices (such as my Amazon Kindle where I watch Google’s YouTube) because there were a few I wasn’t sure about but I think they were all my devices.
Then a few hours later I received another set of emails with a new Walmart account, a new purchase, and a canceled order. I went back in and deleted the account AGAIN.
I knew this time it wasn’t my email that was compromised.
I tried to create a Walmart account on my own using that same email address but it won’t let me, probably because it triggered a fraud alert in Walmart’s systems. I tried to create a new account a few times yesterday and today, but still can’t. I hope it’s permanently disallowed.
I figured out the criminal’s scam. Credit card fraud. Not mine, but someone else’s.
I’m very certain that they had gotten a hold of someone’s credit cards and address. This was confirmed when I saw they had loaded two credit cards on the new Walmart account. No one opens a brand new account and immediately loads two credit cards.
When a criminal gets a hold of a stolen credit card number, they usually try to buy something to verify it’s active. Sometimes they do this in person, like at Walmart or a gas station. When we’ve had our credit cards compromised, that’s usually where they went.
In this case, they used the Walmart website because the login is through either an email or phone number. They don’t need both to access the system.
I’m guessing the phone number was a burner phone. Why they picked my email address to use, I have no idea but maybe because it’s a legitimate name and email. They could have used any other email address and name.
There’s nothing Walmart could do for me other than delete the account, which I did for myself. There’s also no way to prove that the person was a criminal, but since the mailing addresses, phone numbers, and credit cards were different across the two accounts, I’m positive they were testing how much could be purchased on the cards.
The takeaway is that you should carefully watch your emails for any unusual activity. Nothing happened to me in this situation, but it still irks me that I was “used”. Stay alert and stay cyber safe, my friends.