Chick-fil-A, an American fast food chain, has acknowledged that a months-long credential stuffing attack resulted in the breach of customers' accounts.
With this, Hackers were able to access personal data and spend stored reward sums as a result of the cyberattack.
Customer Accounts Are Being Sold By The Cybercriminals
According to a January report from Bleeping Computer, Chick-fil-A had started looking into what it called "suspicious activity" on customers' accounts.
Chick-fil-A created a support page at the time with instructions for customers on what to do if they see suspicious activity on their accounts.
Before Christmas, rumors of user accounts for Chick-fil-A being stolen in attacks using stuffed credentials and sold online arose.
Depending on the rewards account balance and associated payment methods, these accounts were sold for prices ranging from $2 to $200.
Even individuals buying these accounts and sharing images of their purchases made with them were visible on one Telegram channel that housed it all.
Read More: Chick-fil-A Customer Account Hack Now Under Investigation Following Reports
The Chain Restaurant Confirms Surfing Attack Affecting Users' Accounts
Today, the California Attorney General's Office received a security alert from Chick-fil-A today that contained confirmation of this news.
The fast food chain claims that between December 18 last year and February 12 of this year, it was the target of a credential stuffing attack.
"Based on our investigation, we determined on February 12, 2023 that the unauthorized parties subsequently accessed information in your Chick-fil-A One account," reads its customer notification.
Also, according to the notice Chick-fil-A sent to customers, the compromised credentials were obtained from an outside source.
Bleeping Computer writes that customers who were impacted are being warned by the fast food business that cyber attackers who gained access to their accounts would also have had access to their personal data.
Name, email address, membership number for Chick-fil-A One, mobile pay number, QR code, masked credit/debit card number, and the amount of Chick-fil-A credit currently on users' account are all included.
The details could have included the last four digits of credit cards, phone numbers, physical addresses, and birthdays for some clients.
Chick-fil-A required customers to change their passwords after the hack, froze any money added to their accounts, and deleted any payment information that had been saved.
As an additional expression of regret, Chick-fil-A claims to have restored the balances of affected customers' Chick-fil-A One accounts and added prizes.
Affected customers must update their passwords at all of the websites they often visit because the accounts were compromised using credentials revealed in earlier data breaches.
Customers who were affected should be on the alert for possibly targeted phishing emails using this information, even though there is no proof that personal information was misused.
The company has since then instructed customers to use different passwords for each site when changing passwords to make it easier to manage them.
Saving them in a password manager, might be of great help particularly if they share a Chick-fil-A password.
Related Article: Chick-fil-A To Use Refraction AI's Autonomous Delivery Robots in Pilot Test
