Fast food chain Chick-fil-A has confirmed that customer accounts were breached in a credential stuffing attack that took place between December 2022 and February 2023.
During the attack, threat actors gained access to stored rewards balances and personal information, including customers’ names, email addresses, membership numbers, and mobile pay numbers.
The attackers also accessed QR codes, masked credit and debit card numbers, and the amount of Chick-fil-A credit on customers’ accounts. Some customers’ data may also have included their birthdays, phone numbers, physical addresses, and the last four digits of their credit cards.
The attack was first reported to Chick-fil-A by BleepingComputer in December 2022, but the company did not confirm it until February 2023. In response, Chick-fil-A forced customers to reset their passwords and froze funds loaded into accounts, while also removing any stored payment information.
The company also restored account balances and added rewards to impacted accounts. Chick-fil-A warns customers that, as the accounts were breached using credentials exposed in other data breaches, impacted users should change their passwords at all sites they frequent, especially if they use the same Chick-fil-A password.
While there is no evidence of personal information being abused, customers are advised to watch out for targeted phishing emails using this information.
To reduce the risk of being impacted by similar attacks, customers are urged to use a unique password for each site and store them in a password manager, like Bitwarden.
The use of strong, unique passwords can prevent attackers from gaining access to accounts in the first place, while password managers can help users to manage their passwords safely and easily.
This incident highlights the ongoing risk of credential stuffing attacks, where cybercriminals use lists of usernames and passwords from previous data breaches to attempt to gain access to other accounts.
Companies must remain vigilant against such attacks and take steps to protect their customers’ data, while also educating customers on how to reduce the risk of their accounts being compromised.
