Cyber Incident Victim: Sam's Club
Date:
Sep 2020
Location:
United States of America
Summary
Sam's Club experienced unauthorized access to customer accounts resulting from credential stuffing attacks, where attackers used previously compromised credentials to gain entry. The company detected suspicious login activity and responded by resetting affected account passwords, implementing additional security measures to prevent fraudulent actions, and directly notifying impacted members. This incident did not originate from a breach of the retailer's systems but rather from reused credentials obtained elsewhere, highlighting the risks of password recycling across platforms. The organization emphasized its ongoing monitoring efforts and commitment to protecting member privacy amid evolving cybersecurity threats.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In September 2020, Sam’s Club detected unauthorized access attempts targeting member accounts through credential stuffing attacks. These attacks involved automated attempts to log into accounts using credentials previously exposed in unrelated data breaches or phishing campaigns. The company confirmed this activity did not originate from a breach of its own systems but resulted from attackers exploiting reused login credentials across multiple platforms. Upon identifying the suspicious logins, Sam’s Club initiated automated password resets for compromised accounts as a containment measure. The company began sending security notifications to affected members starting around September 24, 2020, explicitly stating that their monitoring indicated potential unauthorized access attempts. These notifications informed members of the forced password resets and apologized for the inconvenience while emphasizing the priority of account protection. Sam’s Club attributed the incident to evolving attacker tactics leveraging known credential reuse vulnerabilities.
Sam’s Club spokesperson Meggan Kring confirmed the company proactively reset passwords for impacted accounts and implemented additional safeguards against fraudulent activity following the September detection. The organization directly notified affected members, though the exact number of compromised accounts was not disclosed. Automated emails cited ongoing monitoring efforts as the basis for identifying the threats and framed the password resets as precautionary measures. Kring reiterated Sam’s Club’s commitment to member privacy and continuous monitoring for suspicious behavior but did not specify technical details about the attack scope or duration beyond confirming September as the detection period. The incident underscored operational challenges in defending against credential stuffing, which exploits widespread password reuse rather than system vulnerabilities. No data theft or financial fraud was explicitly linked to the event in available disclosures, with impacts limited to unauthorized account access and subsequent password resets.