UPDATE: It is being reported that at least “dozens” of others received the same email. Walmart is blaming this on a “bad actor” and have not yet disclosed how many people were impacted.
“Walmart () spokesperson Molly Blakeman said in a statement that “an external bad actor” created fake user accounts “with obvious intent to offend our customers.”
‘We were shocked and appalled to see these offensive and unacceptable emails. We’re looking into our sign up process to ensure something like this doesn’t happen again,’ Blakeman said.
Walmart did not disclose how many customers received the email.”
Just after midnight (Pacific Time) on May 24th, a very strange notification came across my phone from my Outlook app.
“Welcome to Walmart, N**ger! Your new account is ready.”
I’m well accustomed to phishing emails, and know this falls well outside of an obvious phish attempt. Anything stranger than fiction requires some attention. This clearly was not a phishing attempt, and it came from Walmart directly which I verified by viewing the direct reply address, which was “email@example.com.”
But here also lies another problem. Sure, anyone can create an account with an email address and choose a fictitious name. But, my email address is already on Walmart’s books. I’m not new to Walmart, and have ordered with them online in the past—yet someone was able to duplicate an account with an email address I’ve historically used to order. I ordered my children’s bunk bed on Walmart.com, and here they are now calling me a n**ger. Not them personally. I understand this was automated. But with my identical email address? Something is incredibly wrong here.
To Walmart’s credit, I called them and had the offending account closed (so yes, it had been created). Their phone support for online services is open after midnight my time. I expressly told the representative I spoke with that my name is not “N**ger” and I object to being called that. I did request their security department contact me ASAP the following day.
I suppose we’ll see what happens. In the meantime, this is inexcusable. From a security standpoint, how can an email address with account history be used to create a brand new account on the same site with the name “N**ger”?