Chick-fil-A has confirmed to local authorities that hackers have been carrying out an automated credential stuffing attack and selling compromised accounts on the black market. It’s a worrying situation, but the company is addressing the issue and protecting its customers.
After reports of “suspicious activity” on customer accounts in January, Chick-fil-A started looking into them. The fast-food restaurant company has reported to the California Attorney General’s Office regarding a security issue. They informed them that from 18th December of the previous year to 12th February of this year, their system was targeted by cybercriminals using a technique called “credential stuffing”.
When it happened, Chick-fil-A created a page to help their customers if they noticed any strange things happening with their accounts. They gave out information on what steps to take to protect themselves.
Attackers managed to get into a whopping 71,473 Chick-fil-A customer accounts using an attack method. This gave them complete access to check out and possibly swipe customers’ information.
The accounts that were being sold varied in price from as little as $2 to as much as $200. The cost depended on the balance of rewards in the account and the payment methods that were linked to it.
In one Telegram channel, individuals could be seen purchasing these accounts and then showing off the things they bought using them. It’s quite concerning to see that people are willing to engage in a such illegal activity just to get their hands on a few reward points.
Customers of the popular fast-food chain have been warned of a potential data breach. Chick-fil-A has notified affected customers that hackers who accessed their accounts may have gained access to their personal information, such as their name, email address, membership number, and mobile pay number, as well as other details like their QR code and the amount of Chick-fil-A credit on their account.
The data may also have contained the last four digits of certain consumers’ credit cards, their birthdays, phone numbers, and physical addresses.The fast-food chain has urged affected customers to review their account activity and report any unauthorised transactions to their bank.
Chick-fil-A advised their users to change their password straight away if they’ve been using the same login details for other accounts. Users should ensure they generate unique and secure passwords for each online account since credential-stuffing attacks can compromise security and resources.
It’s also a good idea to keep a sharp eye out for any phishing emails or other suspicious activity that might compromise your account.
Phishing emails are one of the most common ways for hackers to try and steal your personal information. To protect yourself, make sure to never click on links in emails that you weren’t expecting or from unknown sources.
Also, be wary of any emails that ask you to enter personal information or login credentials. It’s always best to go directly to the official Chick-fil-A website and log in from there to ensure your safety.
Chick-fil-A has stated that they have restored the balances of the Chick-fil-A One accounts, and they have also added rewards to an account that was affected as a gesture of apology.
Help your colleagues keep a security-first mindset and boost your human firewall by starting your Phishing Tackle security awareness training today with our two-week free trial.