The story
This occurred in January 2019.
It started with an alert from my bank for a $1000 charge I had not made. It was through the Walmart website. I logged into Walmart and discovered an order for a $1000 projector. Nothing else was out of place, and it was directed to go to my address as if I had ordered it.
I immediately canceled the order, deleted my card info, and changed my password. Then I sent an email to Walmart describing what had happened. I thought this “attack” was a security flaw on Walmart’s website, and the attacker was making an ordinary-looking order to see if I would notice. The order was canceled, and the amount was not charged. I thought everything was taken care of.
While I was in my email, I found a notice from Hulu that a new login had occurred at 3 AM that morning. I logged into Hulu and looked at the list of logged-in devices, and sure enough, a new device had logged in that morning while I wasn’t on Hulu… from an IP address in Malaysia. I kicked every device off the logged-in list and changed the password.
Fast forward a couple hours… I check my email, and there are 769 new emails since the Walmart order was successfully canceled. They are all from different, legitimate websites, generally along the lines of welcoming me for signing up for an account or a newsletter subscription.
Suddenly, I’m realizing: 1. The Hulu account and Walmart had the same email address and password; 2. The Hulu login occurred many hours before the order was submitted on Walmart. The attacker is currently trolling the internet (probably with automatic scripts) searching for websites where my email address already exists, obviously with the intent to try the password that was attached to the Hulu and Walmart accounts.
I spent months getting all of my website and software accounts switched over to a brand new email address, with unique passwords for each one. I also removed bank and credit card info from websites wherever possible.