Identity, Breach, Privacy

Chick-fil-A hack spells indigestion for 71K customers

A total of 71,473 were impacted by the Chick-fil-A credential-stuffing attacks

Risks associated with poor password hygiene are hitting home for 71,000 Chick-fil-A customers who have been notified that their online customer loyalty accounts have been compromised via an automated credential-stuffing attack.

Data pilfered from Chick-fil-A customers include names, email addresses, obfuscated credit and debit card numbers, Chick-fil-A One membership information and Chick-fil-A food credits. According to breach disclosure information shared with multiple state attorney general offices, the credential-stuffing campaign targeting Chick-fil-A customers for the past two months.

“Following a careful investigation, we determined that unauthorized parties launched an automated attack against our website and mobile application between December 18, 2022 and February 12, 2023 using account credentials (e.g., email addresses and passwords) obtained from a third-party source,” Chick-fil-A said.

Credential stuffing is when adversaries use usernames and passwords, typically sourced on illicit online forums, and programmatically attempt to use them on random online accounts. The hope by criminals is that users are lazy and reuse passwords across multiple online services.

According to the Verizon’s 2023 Data Breach Investigations Report (PDF) poor password hygiene is a leading contributor to breached businesses. Poor password management includes password reuse, weak passwords, default credentials and phishing or pretexting attacks that con users into revealing usernames and passwords.

Eighty percent of successful breaches that targeted web applications exposed via an enterprise external attack surface are tied to stolen credentials, Verizon reported.

“There’s been an almost 30% increase in stolen credentials since 2017, cementing it as one of the most tried-and-true methods to gain access to an organization for the past four years,” the report stated.

According to the state of Maine, a total of 71,473 were impacted by the Chick-fil-A credential-stuffing attacks. A letter sent to affected customers dated March 2, 2023, notified customers of the incident and outlined mitigation efforts.

“As soon as Chick-fil-A discovered the incident, we immediately took action to protect customers’ accounts, which included requiring customers to reset passwords, removing any stored credit/debit card payment methods, and temporarily freezing funds previously loaded onto customers’ Chick-fil-A One accounts,” according to a copy of the letter.

Passwords, account access and digital IDs continue to be pressing security issues despite years of public awareness and password-hardening technologies.

Recently, Twitter was derided by security professionals for its decision to remove two-factor authentication tools to unpaid accounts. Even when best-practice tools are used, such as password vaults, users can be exposed. LastPass, for example, has been mopping up a password mess tied to a security breach of its systems that have impacted customers and passwords stored using its service.

Meanwhile, technologies that compete and strengthen password security have struggled to become more mainstream.

“Although passwords are still the most widely used, 31% of consumers believe biometrics are more secure,” according a recent report by PYMNTS.

One quarter of consumers who use passwords prefer them over competing technologies such as biometrics, PYMNTS found.

Tom Spring, Editorial Director

Tom Spring is Editorial Director for SC Media and is based in Boston, MA. For two decades he has worked at national publications in the leadership roles of publisher at Threatpost, executive news editor PCWorld/Macworld and technical editor at CRN. He is a seasoned cybersecurity reporter, editor and storyteller that aims always for truth and clarity.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.