Chick-fil-A confirms customer accounts hacked in months-long cyberattack

Hackers have been running an automated credential stuffing attack against Chick-fil-A, and selling compromised accounts on the black market, the company has confirmed to local authorities.

The fast food chain submitted a security notice with the California Attorney General’s Office, in which it said that between December 18 last year, and February 12 this year, it suffered a credential stuffing attack.

Credential stuffing is an automated attack in which the threat actors try countless username/password combinations, usually obtained from other data breaches, to see if the information obtained elsewhere was valid on the platform being attacked, too. Given that many users often go for the same username/password combination across a multitude of services, credential stuffing attacks are often a resounding success.

Sensitive data stolen

This also seems to have been the case with Chick-fil-A.

“Following a careful investigation, we determined that unauthorized parties launched an automated attack against our website and mobile application between December 18, 2022 and February 12, 2023 using account credentials (e.g., email addresses and passwords) obtained from a third-party source. Based on our investigation, we determined on February 12, 2023 that the unauthorized parties subsequently accessed information in your Chick-fil-A One account,” the company said.

During the attack, the threat actors got ahold of information (opens in new tab) such as user’s names, email addresses, Chick-fil-A One membership numbers, mobile pay numbers, QR codes, masked credit and debit card numbers, and the amount of Chick-fil-A credits. It’s the latter that also determined the value of each individual account on the black market. The prices ranged from $2 to $200, and according to BleepingComputer, people have been using stolen accounts to make purchases. 

To tackle the issue, the company forced password resets on its customers, froze funds that were loaded into accounts, and removed any stored payment information. It also restored account balances and added rewards to people whose accounts had been compromised, even though technically, the company is not at fault here. 

Via: BleepingComputer (opens in new tab)