Sam's Club

On October 21, 2020, Sam's Club disclosed a data breach stemming from unauthorized access to member accounts. The attackers exploited login credentials likely sourced from an external breach, compromising personal information such as names, phone numbers, addresses, and Cash Rewards details. While the exact scale of the breach remains undisclosed, the incident exposed sensitive customer data, raising concerns over potential misuse for fraud or identity theft. The breach did not involve ransomware or systemic operational disruptions, but it highlighted vulnerabilities in credential security and third-party data protection. Customers were advised to monitor accounts for suspicious activity, though no immediate financial losses or large-scale fraud were reported. The incident underscored the risks of credential stuffing attacks and the broader implications of reused passwords across platforms.

Source: https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/25ac0a8c-80fe-4d61-a982-4ae63bb15993.shtml

TPRM report: https://www.rankiteo.com/company/sams-club-map

"id": "sam526082125",
"linkid": "sams-club-map",
"type": "Breach",
"date": "9/2020",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'customers_affected': 'Unknown',
                        'industry': 'Retail / Membership Warehouse',
                        'location': 'United States',
                        'name': "Sam's Club",
                        'type': 'Retail'}],
 'attack_vector': 'Credential Stuffing',
 'data_breach': {'data_exfiltration': 'Likely',
                 'number_of_records_exposed': 'Unknown',
                 'personally_identifiable_information': ['names',
                                                         'phone numbers',
                                                         'addresses'],
                 'sensitivity_of_data': 'Moderate to High (PII, Rewards Data)',
                 'type_of_data_compromised': ['Personal Information',
                                              'Membership Rewards Data']},
 'date_detected': '2020-10-21',
 'date_publicly_disclosed': '2020-10-21',
 'description': "Sam's Club reported a data breach on October 21, 2020, "
                'involving unauthorized access to member accounts using login '
                'credentials likely obtained from another source. The breach '
                'potentially affected personal information such as names, '
                'phone numbers, addresses, and Cash Rewards details, although '
                'the exact number of individuals affected is unknown.',
 'impact': {'data_compromised': ['names',
                                 'phone numbers',
                                 'addresses',
                                 'Cash Rewards details'],
            'identity_theft_risk': 'Potential'},
 'initial_access_broker': {'entry_point': 'Credential Stuffing (Reused '
                                          'Credentials from External Source)',
                           'high_value_targets': ['Member Accounts',
                                                  'Cash Rewards Data']},
 'post_incident_analysis': {'root_causes': ['Weak/Reused Credentials',
                                            'Lack of Multi-Factor '
                                            'Authentication (MFA)']},
 'references': [{'date_accessed': '2020-10-21',
                 'source': "Sam's Club Public Disclosure"}],
 'title': "Sam's Club Data Breach (2020)",
 'type': 'Data Breach'}

Sam's Club

Sentry Advisors and LLC: Sentry Advisors Data Breach Exposes Names & SSNs

PornHub: Pornhub data breach: Hackers steal premium user activity logs

Walgreens: Judicial Panel Declines Coordination of Salesforce Data Breach Suits But Transfers TransUnion Cases