Hackers are launching an automated credential stuffing attack against Chick-fil-A and selling infected accounts on the black market, the company has confirmed to local authorities.
The fast food chain has filed a security notice with the California Attorney General’s Office alleging that it was the victim of a credential stuffing attack between December 18 last year and February 12 this year.
Credential stuffing is an automated attack where cybercriminals try countless username and password combinations, usually obtained from other data breaches, to verify that the information obtained elsewhere was also valid on the targeted platform. Given that many users often use the same username and password combination across multiple services, credential stuffing attacks are often a resounding success.
Sensitive data has been stolen
This seems to have been the case with Chick-fil-A as well.
“After thorough investigation, we have determined that unauthorized individuals carried out an automated attack on our website and mobile app between December 18, 2022 and February 12, 2023 using account credentials (e.g. email addresses and passwords) obtained from an external source. Based on our investigation, we determined on February 12, 2023 that unauthorized persons subsequently accessed information in your Chick-fil-A One account,” the company said.
During the attack, cybercriminals gained information (opens in a new tab) such as usernames, email addresses, Chick-fil-A One membership numbers, mobile payment numbers, QR codes, masked credit and debit card numbers, and Chick-fil-A credit amount. It was the latter that also determined the value of each individual account on the black market. Prices ranged from $2 to $200 Beeping Computerpeople used stolen accounts to make purchases.
To address the issue, the company forced its customers to reset their passwords, froze funds deposited into accounts, and deleted any stored payment information. It also restored account balances and added rewards to those whose accounts were compromised, even though the company is technically not at fault here.
By: Beeping Computer (opens in a new tab)