chipotle phone app users hack breach privacy fraud charges bank accounts hacked doordash mexican food cybersecurity security awareness training

Were Chipotle App Users Hacked?!

As details of this security issue unravel like a Chipotle burrito, fraudulent app activity outraged users complaining about a possible hack attack.

chipotle phone app users hack breach privacy fraud charges bank accounts hacked doordash mexican food cybersecurity security awareness training

In a report by TechCrunch stated that Chipotle customer accounts have been hacked and are reporting fraudulent orders charged to their credit cards — sometimes totaling hundreds of dollars.

Customers have posted on several Reddit threads complaining of account breaches and many more have tweeted at @ChipotleTweets to alert the fast-food giant of the problem. Most of the complaints so far suggest a similar pattern of behavior: passwords being changed, strange charges appearing on bank statements, and expensive meals being ordered in other parts of the country.

Many of the customers TechCrunch spoke to in the past two days said they used their Chipotle account password on other sites. Chipotle spokesperson Laurie Schalow told TechCrunch that credential stuffing was to blame. Hackers take lists of usernames and passwords from other breached sites and brute-force their way into other accounts.

Several customers we spoke to said their password was unique to Chipotle. Another customer said they didn’t have an account but ordered through Chipotle’s guest checkout option.

phone app users hack breach privacy fraud charges bank accounts hacked doordash mexican food cybersecurity security awareness training twitter

Tweets from Chipotle customers. (Screenshot: TechCrunch)

When we asked Chipotle about this, Schalow said the company is “monitoring any possible account security issues of which were made aware and continue to have no indication of a breach of private data of our customers,” and reiterated that the company’s data points to credential stuffing.

chipotle phone app users hack breach privacy fraud charges bank accounts hacked doordash mexican food cybersecurity security awareness training

It’s a similar set of complaints made by DoorDash customers last year, who said their accounts had been improperly accessed. DoorDash also blamed the account hacks on credential stuffing, but could not explain how some accounts were breached even when users told TechCrunch that they used a unique password on the site.

If credential stuffing is to blame for Chipotle account breaches, rolling out two-factor authentication would help prevent the automated login process — and, put an additional barrier between a hacker and a victim’s account.

But when asked if Chipotle has plans to roll out two-factor authentication to protect its customers going forward, spokesperson Schalow declined to comment. “We don’t discuss our security strategies.”

chipotle phone app users hack breach privacy fraud charges bank accounts hacked doordash mexican food cybersecurity security awareness training

Chipotle reported a data breach in 2017 affecting its 2,250 restaurants. Hackers infected its point-of-sale devices with malware, scraping millions of payment cards from unsuspecting restaurant-goers. More than a hundred fast food and restaurant chains were also affected by the same malware infections.

In August, three suspects said to be members of the FIN7 hacking and fraud group were charged with the credit card thefts.

Whittaker, Zack. (2019, April 18). Chipotle customers are saying their accounts have been hacked. TechCrunch.

  •  
  •  
  •  
  •  
  •  
  •