American speedy meals chain Chick-fil-A has verified that over 71,000 customers’ accounts ended up breached in a months-prolonged credential stuffing attack, permitting danger actors to use saved rewards balances and entry personalized details.
In January, BleepingComputer reported that Chick-fil-A experienced started investigating what it explained as “suspicious activity” on customers’ accounts.
At the time, Chick-fil-A set up a support site with information and facts on what buyers ought to do if they detect suspicious activity on their accounts.
This warning arrived right after BleepingComputer emailed Chick-fil-A before Christmas about experiences of Chick-fil-A person accounts getting stolen in credential-stuffing attacks and bought on the net.
These accounts ended up bought for prices ranging from $2 to $200, based on the benefits account equilibrium and linked payment solutions.
A single Telegram channel found by BleepingComputer confirmed people today getting these accounts and then sharing images of their buys built via these accounts.
Chick-fil-A confirms credential stuffing attack
Currently, Chick-fil-A confirmed our reporting in a safety discover submitted to numerous Attorney Normal places of work, stating that they endured a credential stuffing attack amongst December 18th, 2022, and February 12th, 2023. This sustained assault permitted the threat actors to hack a total of 71,473 Chick-fil-A accounts.
“Adhering to a careful investigation, we decided that unauthorized events launched an automatic attack versus our web site and cell application concerning December 18, 2022 and February 12, 2023 applying account credentials (e.g., e-mail addresses and passwords) obtained from a third-party supply.
Centered on our investigation, we decided on February 12, 2023 that the unauthorized functions subsequently accessed info in your Chick-fil-A A single account.” – Chick-fil-A notification.
The fast food chain is warning impacted customers that risk actors who accessed their account would have also experienced accessibility to their particular info, including their name, email handle, Chick-fil-A One membership variety and mobile fork out selection, QR code, masked credit rating/debit card selection, and the quantity of Chick-fil-A credit rating (e.g., e-gift card stability) on your account (if any).
For some clients, the info might have