Chipotle is receiving some negative customer reviews, but not over its food.
Instead, some customers are saying on Twitter and Reddit that their payment card information has been hacked and is being used to make fraudulent purchases at the Mexican food chain. Chipotle denies a breach has taken place, although company officials did admit to monitoring possible account security issues, according to a TechCrunch story. Instead, Chipotle believes these people are victims of credential stuffing.
"We have no indication of any breach of Chipotle’s databases or systems. We are among the many retail, hotel and restaurant companies affected by credential stuffing, in which combinations of user names and passwords are accessed by third parties and used on websites of different companies to see if they can gain access. We continue to monitor any possible security issues and we are constantly investing in security measures to protect our customers," Laurie Schalow, Chipotle's chief corporate reputation officer, told SC Media.
Mounir Hahad, head of Juniper Threat Labs at Juniper Networks and Ameya Talwalkar, co-founder and CPO, Cequence so far are siding with Chipotle.
Hahad noted that as long as victims are not reporting fraudulent activity outside Chipotle’s payment site, there is a very good chance this is just another credential-stuffing scenario. Usually, with groups like Magecart, the collected credit card information is recycled into underground forums for sale. It is not used to order food on the same website.
"To be fully honest, the extent of the damage is probably minimal because anyone who gets food ordered though a hacked account would have to give away an address for delivery, which would put them at risk of prosecution," he added.
Customers who are primarily affected have an online Chipotle account with a stored payment card. Many people have reported being charged for orders that not only they did not place, but also were delivered to addresses in different cities.
Others tweeted about having difficulty cancelling fraudulent orders, complaining that the company is not returning messages concerning refunds. However, it does appear that Chipotle staffers are contacting those tweeting about their problems and attempting to help.