Sam's Club resets passwords after thousands of logins posted online

Over 14,000 usernames and plain-text passwords for the retail giant's online store were posted online over the weekend.
Written by Zack Whittaker, Contributor

(Image: file photo via CBSNews.com)

Wholesale retail giant Sam's Club has reset passwords for thousands of customers after their account details were posted online.

In an email to members obtained by ZDNet, the Walmart-owned company said that it had begun resetting passwords after it found that "someone might be trying to take advantage" of customer accounts.

It comes after over 14,600 email addresses and plain-text passwords associated with Sam's Club's online store were dumped on Pastebin, a text sharing site, on Saturday.

The title of the password dump said that the accounts listed belonged to the retail giant. The company which has over 650 locations across the US and tens of millions of members.

But the company denied that it had been hacked.

"We've looked into this issue and there is no indication of a breach of our systems. It is most likely a result of one of the past breaches of other companies' systems. Because customers often use the same usernames and passwords on various sites, bad actors will typically test the credentials they obtain across many popular sites. Unfortunately this is an industry-wide issue," said Walmart spokesperson Dan Toporek in an email.

We first learned of the password dump on Sunday, when a reader forwarded an email from an unknown breach warning site, informing the reader that their password had been posted online.

"I initially ignored [the email], but when I saw my password in the email body, I looked at it further," the reader told me.

We quickly began contacting (at random) some of those whose details were found in the password dump.

All of those that we spoke to confirmed their email address and password.

"I'm utterly shocked," said one person, who didn't want to be named, when he learned that his account information had somehow made its way online. Another said they were "surprised" at the news. Others didn't want to talk for very long on the phone.

Most of those we spoke to said they shop online a few times a year. One said they created their online account "nearly a decade ago."

The spokesperson said that the company's security team "validated that the usernames and passwords on this list were on other lists posted on the dark net previously, indicating that they had come from previous breaches."

But two of the people we spoke to said they had used unique passwords for Sam's Club. One said that there was no way that their password could have come from anywhere else.

The password dump was automatically submitted to the Have I Been Pwned database, where users can check to see if their details appear.

Editorial standards