My wife received an order confirmation email from Athleta last Tuesday morning at 6:30 AM. For clothes she would never wear. In sizes that weren’t hers. Shipping to an address with a suspicious decimal point prefix.
This is the story of a credential stuffing attack, a fraud investigation, and why I spent an evening weaponizing UPS tracking against a cybercriminal.
The Initial Alert
The confirmation email arrived at 6:30 AM. Order total: $127.83, charged directly to her debit card. Two items of plum-colored leisurewear. Expedited overnight shipping. And here’s the kicker—the attacker had burned through all of her loyalty points for about a $10 discount before dumping the rest of the cost onto her card.
This wasn’t phishing. She didn’t click a malicious link. This wasn’t a sophisticated social engineering campaign. This was an old account with a simple password that had been sitting dormant for months, and someone finally got around to using the credentials they’d harvested from a data breach.
The Incident Response Process
When you work in security, you can’t help but run through the mental checklist:
First priority: Scope the breach.
- Was the email account compromised? (No—no unusual login activity, 2FA still active)
- Were bank accounts accessed? (No—checked all recent transactions, no other unauthorized activity)
- Was this a password reuse situation? (Yes—old password that predated our move to unique passwords for everything)
Second priority: Contain the damage.
I contacted Athleta’s customer service, got escalated to their fraud department, and walked them through the timeline. They were helpful—confirmed they’d cancel the charges, initiated a fraud investigation, and promised the account would be flagged.
But here’s where the loyalty points exploitation comes in.
The Criminal’s Playbook: Burning Points for Speed
The attacker didn’t just compromise an account and make a purchase. They executed a specific strategy designed to maximize the chance of a successful delivery before detection:
- Drained all available loyalty points (squeezing every bit of value from the account)
- Selected expedited overnight shipping (reducing the window for intervention)
- Charged the remainder to the card on file (fastest checkout path)
By the time I contacted Athleta—less than an hour after the order was placed—the items were already in fulfillment. The fraud team couldn’t stop the shipment. The warehouse had already processed it. The package was with UPS.
This is the operational tempo that makes retail fraud profitable. Speed matters more than sophistication.
The Address Obfuscation Trick
The shipping address caught my attention immediately:
.12345 Oak Street
Not “12345 Oak Street.” The decimal point prefix.
This is a known fraud technique. Many shipping systems and address validation APIs treat .12345 Oak Street and 12345 Oak Street as functionally identical for routing purposes. But for fraud detection systems scanning for flagged addresses? The decimal creates a new string that might not match previous fraud reports.
It’s the digital equivalent of writing your return address in slightly different handwriting on each envelope. Simple. Effective. And it works because most systems weren’t designed to expect this kind of creative formatting.
The Fraud Economics Nobody Talks About
Let’s be honest about the prosecution reality here:
- Too small for federal law enforcement. The FBI isn’t opening a case over $127.83 in activewear.
- Too complicated for local police. Fraud across state lines, digital evidence, shipping logistics—this isn’t a case that gets solved by a patrol officer.
- Too expensive for the retailer to pursue. Athleta will eat the loss and move on.
The attacker knows this. They’re operating in the sweet spot where the damage is significant enough to be worth their time, but small enough that nobody will invest resources in tracking them down.
This is why credential stuffing remains profitable. Low risk, minimal effort, and thousands of potential targets sitting in breach databases waiting to be exploited.
Turning the Tables: Weaponizing Logistics
I wasn’t willing to let someone walk away with a hundred dollars charged to my wife’s debit card without at least making their day more difficult.
The package was shipped via UPS overnight. The delivery address was real—just not ours. But here’s what the attacker didn’t anticipate:
UPS My Choice.
I logged into our UPS account and claimed the tracking number. Because the shipment was associated with our compromised Athleta account (which had our legitimate address and phone number in the profile), UPS allowed us to flag the delivery as fraudulent and request a return to sender.
The attacker had changed the delivery address, but they couldn’t change the account holder information that UPS cross-referenced.
Twenty-four hours later, the package was on its way back to Athleta’s warehouse. The attacker’s work was wasted. The fraud was documented. And while they didn’t face legal consequences, they also didn’t get their free leisurewear.
The Broader Lessons
This incident reinforced several things I already knew but my wife hadn’t experienced firsthand:
1. Old accounts are ticking time bombs.
That Athleta account was created years ago, before my wife started using a password manager. Before she understood credential reuse risks. Before we treated every online account as a potential liability. She mainly shops in-store, so the online account just sat there—dormant, with an old password, waiting.
Attackers don’t care about your recent accounts with strong unique passwords and 2FA. They care about the accounts you forgot about.
2. Loyalty points are a secondary target.
The attacker drained the loyalty points not because they were the primary objective, but because they added marginal value. Why steal $127 when you can steal $137 by burning someone’s accumulated rewards first?
If you have loyalty accounts with stored payment methods, audit them. Now.
3. Speed beats sophistication.
The attacker didn’t need to bypass 2FA. Didn’t need to phish credentials. Didn’t need to social engineer a customer service rep. They just needed credentials from a breach, a quick checkout process, and overnight shipping.
This is the reality of modern fraud: it’s industrial, automated, and optimized for volume over complexity.
4. The friction points matter.
The only reason we were able to intervene was UPS My Choice. If the attacker had selected a different shipping carrier, or if we hadn’t had an existing UPS account, the outcome might have been different.
Defensive tools aren’t just about passwords and firewalls. Sometimes they’re about claiming your shipping notifications before a criminal does.
The Aftermath: Full Password Audit
After securing the Athleta account, filing a fraud alert with the bank, and getting a new debit card issued, we did what should have been done months ago: a comprehensive password audit using 1Password’s security features.
- Identified weak passwords: 7 accounts still using old patterns
- Found reused passwords: 3 accounts sharing credentials (all now unique)
- Enabled 2FA everywhere possible: Including accounts we’d previously skipped
This incident was a $0 lesson in why password hygiene matters. But it could have easily been a $500 lesson. Or a compromised email account. Or a drained bank account.
We got lucky. Most people don’t.
What WigSec Can’t Guarantee (But Can Help With)
I can’t promise that every account compromise ends with a reversed shipment and zero financial loss. Fraud outcomes depend on timing, carrier policies, retailer cooperation, and sometimes just luck.
But what I can help with is reducing the likelihood you’ll face this situation in the first place:
- Personal Exposure Assessments: Find out what credentials are already out there waiting to be exploited
- Complete Privacy Cleanup: Fix the gaps before they become incidents
- Incident response guidance: If you’re in the middle of a compromise and need to move fast
This story had a relatively happy ending. The next one might not.
If you’re concerned about email compromise, account takeover, or any other aspect of personal privacy and security, WigSec is here for you.
Because sometimes the best defense is knowing what attackers already know about you—before they use it.
Larry Wigington is the founder of WigSec | Wigington Security LLC, a privacy and security consultancy focused on helping everyday people protect their digital lives. He is an active researcher in decision theory, operations research, and open-source intelligence (OSINT) analysis with a focus on defensive privacy services.