Something fishy is going on with Walmart’s password reset system, and Walmart’s response so far has been about the same as the shrugging emoticon. ( ¯ _(ツ)_/¯)
It seems someone is sending out password reset notices from email@example.com, even to people who say they don’t have a Walmart account. A Walmart spokesperson confirmed to Gizmodo that the emails are coming from a valid Walmart address and that the links in the emails will take you to Walmart’s website. The company doesn’t think the emails are part of a hack—at least not right now.
Instead, the spokesperson said that someone could be using software to validate whether a list of email addresses are valid by testing whether an email from Walmart would go through. Here’s what Walmart told Gizmodo:
They might [then] use it for phishing scams,” the spokesman suggested, but he confessed that “we don’t know for sure why” it happened. He added, “it’s unlikely that a customer’s walmart.com account has been comprised.”
People started taking to Twitter on Monday to complain and ask Walmart what was going on, and based on more recent tweets, it looks like the emails are still coming.
The Walmart spokesperson wouldn’t tell Gizmodo how many customers were affected.
Hackers have been known to send emails prompting customers to change their passwords, so users are smart to be wary. In general, if you’re getting emails and you didn’t attempt to change your password, don’t type your password into any links that are included in the email and never respond directly to the email. Instead, go directly to the company’s web site and try logging in with your existing password. If it works, then you can ignore the reset notice.
And to be extra safe, if you’re one of those people whose inbox is being flooded by password change emails from Walmart, check your account and keep a watch on any credit cards you’ve used to purchase items through that account.