Ever get the feeling that everything is broken?

Ever feel like customer service isn’t about serving the customer anymore and we’re all one typo away from chaos online? Well, I recently wasted 2 hours because someone I’ve never met who lives 3,000 miles away made a typo.

Sometimes I think my lot in life is to have weird things happen, figure out why, and then tell people about it. Here’s what happened to me:

Someone with the same name as me signed up for Walmart Plus (paid with free trial) and mistyped their Gmail address. For all I know, they may have meant to use a Yahoo! address. Unfortunately, his “wrong” email turned out to be a Gmail variant of mine.

Gmail ignores dots in the email address for personal Gmail accounts, Walmart doesn’t. More on that in a minute, but then…

Boom! I suddenly “inherited” his new, bouncing baby Walmart account (but it wasn’t obvious it was a new account at first). Inside this account was his address, phone number, and American Express card (last 4 digits). He even placed an order, which then got cancelled, and I got all the receipts.

Sadly, I didn’t look closely enough at first, and I thought that somehow this guy had upgraded my existing account. But, that wasn’t it at all.

This wasn’t a hack. It wasn’t fraud. It was Walmart’s signup process being totally fupduk. But it’s that way by design, or rather, lack of thoughtful design.

TL;DR: Walmart’s Signup Flow is Fupduk

• Someone with the same name as mine mistyped their email when creating a Walmart Plus account.

• Because Gmail ignores dots in addresses, their “wrong” email landed in my inbox.

• Walmart, however, created a brand-new account. No confirmation required.

• Result: I had access to their address, phone number, and Amex card on an account I did not create.

• To make things worse, I accidentally enabled 2FA (2-Factor Authentication) on their account, which screwed me out of enabling 2FA on my own.

• Walmart doesn’t let you delete accounts without support or remove 2FA numbers. Perfect!

Key Takeaways

• Users: Always enable 2FA, also called multi-factor authentication (MFA) via authenticator app, phone number, etc. Do this immediately upon account creation. Pay attention to weird signup emails in your inbox. They’re not always phishing attempts.

• Developers and teams: The only way this could have happened is if there was no verification process in the sign up flow. There was a welcome email, but the user was allowed to proceed with adding details, upgrading, and placing an order right after account creation. Always send verification emails before allowing the account creation process to continue.
  
  Do not allow personal information, upgrades, payments, or orders without this. Test! Do end-to-end testing. Test for typos and design with Gmail quirks (and others) in mind. Give users the power to fix mistakes.

The 2-Hour Tour of Someone Else’s Life

So there I was, stuck with this Walmart Plus account that wasn’t mine but yet somehow was. I wasted 2 hours untangling the mess (which still isn’t fully resolved).

To recap a little from above, a guy with my exact name (no way!) fat-fingered his email when signing up for Walmart Plus. Unfortunately, his “wrong” email was a Gmail variant of mine.

Fun fact: Gmail allows but essentially ignores dots in email addresses, but Walmart treats them like different people. The resulting chaos is guaranteed.

So suddenly, I had a Walmart account under my control, complete with his address, his phone number, and his American Express card. He even placed an order. And I got the receipts. Literally, in my inbox.

Why This is Bananas

• No email confirmation. Walmart didn’t ask me (or him) to verify the email. Just, “Welcome aboard, dude, go ahead and drop in your credit card.” Never mind that all account related emails will go to someone else and they will be able to log into your account, change the password, etc.

• Instant paid upgrade. He went straight for the Walmart Plus upgrade (free trial) without proving the account was his. Had I not checked this, his credit card would have been charged for the monthly fee after the free trial.

• Orders? Sure, why not! Oh, and you can place an order before proving you can even receive an email about it. Is that backwards, or what?

It’s bananas.

Gmail Aliases: The Silent Chaos Maker

To Gmail:

joe.smith@gmail.com = joesmith@gmail.com

Emails sent to either address end up in the same inbox. Unless you’re looking for it or you compare them side-by-side, you barely notice they’re different.

To Walmart:

• Nope, totally different people! Let’s make two accounts.

So when my not-so-evil twin signed up, I got his digital baggage (and his emails). Thanks, Google. Thanks, Walmart. Thanks, universe.

Note: Plus addressing is also supported in Gmail (which is awesome), and that would have been a dead giveaway. For example:

joe.smith+walmart@gmail.com

My Brilliant Idea That Backfired

Being annoyed and in a hurry and not looking closely, my assumption was that this was not a new account. I should have known better (the welcome email should have indicated to me it was a new account). I should have investigated more thoroughly. Instead, like a good technologist going off a wrong assumption, I thought, Let’s lock this sucker down with 2FA.

Ooops! Wrong move. I locked down the wrong account.

Worse, Walmart doesn’t let you remove a phone number once it’s tied to an account. You have to replace it with another mobile number (which I don’t have). And once a number is associated with Account #WrongGuy, you can’t use it on Account #ActualMe. Bonus round: I couldn’t find a way to delete the “bad” account without contacting support.

So now I’ve basically bricked my own legit account while babysitting someone else’s. At the very least, I’ve left my account less secure than it could be. None of this is “security” as we know it, it’s just a waste of time.

Lessons for Users

• Always turn on 2FA (but, you know, on your account).

• If you get a weird email about “your new membership,” don’t ignore it. It might not be phishing. Instead, it might be corporate incompetence disguised as technology run amok.

Lessons for Developers (a.k.a. Please Stop This Madness)

• Verify emails before anything else. No verification = no upgrades, no credit cards, no orders. Period.

• Plan for typos. Real people make them. Real systems should anticipate them.

• Give users control. Let us delete accounts. Let us unhook 2FA numbers. Let us fix mistakes without begging your support queue.

• Find people who know how to test sh*t (go ahead and bribe me). Anyone who knows how to test email scenarios and the sign up flow should catch this stuff.

The Bigger Picture

In the end, no one lost money. In fact, since I couldn’t delete the account, I cancelled the “Plus” upgrade and then took the guy’s credit card out of the account.

My doppelgänger’s Amex is safe, and my blood pressure eventually returned to normal. But the whole thing left me with the nagging feeling that the internet is just one sloppy signup form away from chaos. Of course, I’ve known this for a long time.

This wasn’t fraud. It wasn’t malice. It was just two guys with the same name and a badly designed account sign up process with no verification. But it’s still a privacy issue at the very least, and it doesn’t have to be.

Dear Walmart: please fix your fupduk signup flow before someone who is less tech savvy and less patient than I am has this happen to them.

One last thought: Walmart isn’t the only place this is a problem, and it could be used maliciously, so be on the lookout.