American fast food restaurant chain Chick-fil-A has started notifying roughly 71,000 individuals that their user accounts have been compromised in a two-month-long credential stuffing campaign.
In a notification letter to impacted customers, a copy of which was submitted to multiple Attorney General offices, Chick-fil-A says the accounts were compromised in a series of automated attacks targeting both its website and mobile application.
A low cost, low risk type of cyberattack, credential stuffing relies on automation – typically via bots – to test hundreds of thousands of username-password pairs against new targets. What makes credential stuffing possible, however, is users’ habit of reusing the same password across multiple online services.
The tested credentials come from other data breaches and can often be acquired relatively easily and at low cost from various underground sources, and this is what happened in the Chick-fil-A incident as well.
“Following a careful investigation, we determined that unauthorized parties launched an automated attack against our website and mobile application between December 18, 2022 and February 12, 2023 using account credentials (e.g., email addresses and passwords) obtained from a third-party source,” Chick-fil-A says.
The fast food company says that the attackers eventually gained access to Chick-fil-A One accounts and to the information available within.
The compromised information, the company says, includes names, email addresses, masked credit/debit card numbers, Chick-fil-A One membership information, and the available Chick-fil-A credit for each account.
“In addition, if saved to your account, the information may have included the month and day of your birthday, phone number, and address. Importantly, unauthorized parties would only have been able to view the last four digits of your payment card number,” Chick-fil-A tells customers.
Chick-fil-A says it has already prompted impacted users to reset their passwords, removed stored credit/debit card payment methods, and temporarily froze any funds that users might have loaded into their Chick-fil-A One accounts.
The company says it has restored account balances for the impacted accounts, which in some cases included refunding to users’ original form of payment, and added rewards to accounts.
Chick-fil-A told the Maine Attorney General’s Office that more than 71,000 individuals were impacted in the incident.
Related: Media Giant News Corp Discloses New Details of Data Breach
Related: Pepsi Bottling Ventures Discloses Data Breach
Related: Patient Information Compromised in Data Breach at San Diego Healthcare Provider

More from Ionut Arghire
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
- Malicious NuGet Packages Used to Target .NET Developers
- Google Pixel Vulnerability Allows Recovery of Cropped Screenshots
- Millions Stolen in Hack at Cryptocurrency ATM Manufacturer General Bytes
- NBA Notifying Individuals of Data Breach at Mailing Services Provider
- Adobe Acrobat Sign Abused to Distribute Malware
- Latitude Financial Services Data Breach Impacts 300,000 Customers
Latest News
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
- Oleria Scores $8M Seed Funding for ID Authentication Technology
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- News Analysis: UK Commits $3 Billion to Support National Quantum Strategy
- Malicious NuGet Packages Used to Target .NET Developers
- Google Pixel Vulnerability Allows Recovery of Cropped Screenshots
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
