American speedy meals chain Chick-fil-A has verified that over 71,000 customers’ accounts ended up breached in a months-prolonged credential stuffing attack, permitting danger actors to use saved rewards balances and entry personalized details.
In January, BleepingComputer reported that Chick-fil-A experienced started investigating what it explained as “suspicious activity” on customers’ accounts.
At the time, Chick-fil-A set up a support site with information and facts on what buyers ought to do if they detect suspicious activity on their accounts.
This warning arrived right after BleepingComputer emailed Chick-fil-A before Christmas about experiences of Chick-fil-A person accounts getting stolen in credential-stuffing attacks and bought on the net.
These accounts ended up bought for prices ranging from $2 to $200, based on the benefits account equilibrium and linked payment solutions.
A single Telegram channel found by BleepingComputer confirmed people today getting these accounts and then sharing images of their buys built via these accounts.
Chick-fil-A confirms credential stuffing attack
Currently, Chick-fil-A confirmed our reporting in a safety discover submitted to numerous Attorney Normal places of work, stating that they endured a credential stuffing attack amongst December 18th, 2022, and February 12th, 2023. This sustained assault permitted the threat actors to hack a total of 71,473 Chick-fil-A accounts.
“Adhering to a careful investigation, we decided that unauthorized events launched an automatic attack versus our web site and cell application concerning December 18, 2022 and February 12, 2023 applying account credentials (e.g., e-mail addresses and passwords) obtained from a third-party supply.
Centered on our investigation, we decided on February 12, 2023 that the unauthorized functions subsequently accessed info in your Chick-fil-A A single account.” – Chick-fil-A notification.
The fast food chain is warning impacted customers that risk actors who accessed their account would have also experienced accessibility to their particular info, including their name, email handle, Chick-fil-A One membership variety and mobile fork out selection, QR code, masked credit rating/debit card selection, and the quantity of Chick-fil-A credit rating (e.g., e-gift card stability) on your account (if any).
For some clients, the info might have involved birthdays, telephone quantities, physical addresses, and the previous 4 digits of credit history cards.
In response to the attack, Chick-fil-A forced buyers to reset passwords, froze cash loaded into accounts, and eradicated any stored payment details from accounts.
Chick-fil-A also states that they restored Chick-fil-A 1 account balances and added rewards to impacted accounts as a way of apologizing.
As the accounts ended up breached using credentials exposed in other info breaches, impacted customers need to modify their passwords at all web pages they repeated, particularly if they use the similar Chick-fil-A password.
When resetting passwords, use a distinctive password for just about every site and retail outlet them in a password manager, like Bitwarden, so that they can be easily managed.
Even though there is no evidence that personalized information and facts was abused, impacted consumers really should also be on the lookout for perhaps targeted phishing e-mail using this information.