Say it isn’t so, Chipotle. A stream of Chipotle customers have said their accounts have been hacked and are reporting fraudulent orders charged to their credit cards — to the tune of hundreds of dollars.
Customers have also posted on several online threads complaining of account breaches and even more have tweeted at @ChipotleTweets to alert the fast food giant of the problem. How did they do it? Most orders were put through under a victim’s account and delivered to addresses in another state.
Exploit: Credential stuffing
Chipotle: American chain of fast casual restaurants
Risk to Small Business: 1.888 = Severe: Several individuals took to Twitter and Reddit to report that their Chipotle accounts were being used to place unauthorized orders at locations across the country. However, many of the customers maintain that their passwords were unique to Chipotle, which could rule out the possibility of a credential stuffing attack and shift the blame directly on Chipotle. In response, Chipotle officials stated that they don’t believe their network was breached or that personal data was revealed to outside entities. This is the company’s second data security incident in two years, and they have yet to roll out two-factor authentication for their customers.
Individual Risk: 2.571 = Moderate: In credential stuffing attacks, hackers leverage personal information retrieved from past data breaches to breach new accounts. Chipotle account holders should enlist in identity monitoring solutions and reset their passwords to protect their information going forward.
Customers Impacted: To be determined
How it Could Affect Your Customers’ Business: Being able to rule out a credential stuffing attack is crucial to identifying the source of a breach. Without the help of an MSP or an MSSP that offers Dark Web monitoring solutions, it becomes incredibly difficult to track how compromised data is being leveraged by hackers. When developing digital platforms, companies of all sizes need to plan to protect their customer data by taking every precaution to ensure that their information is never compromised.
Contrast to the Rescue: More MSPs rely on Dark Web ID™ than any other monitoring service across the globe to provide actionable stolen credential data.