Hackers carried out an automated credential stuffing attack against Chick-fil-A and sold compromised accounts on the black market, the company has confirmed to local authorities.
The fast-food chain filed a security notice with California prosecutors saying it suffered a credential-stuffing attack between December 18 last year and February 12 this year.
Credential stuffing is an automated attack in which threat actors try myriad combinations of usernames and passwords, typically derived from other data breaches, to determine whether information obtained elsewhere was valid on the attacked platform. Given that many users often use the same username and password combination across a variety of services, credential stuffing attacks are often a resounding success.
Sensitive data stolen
This appears to have been the case with Chick-fil-A as well.
“After a careful investigation, we have determined that between December 18, 2022 and February 12, 2023, unauthorized parties launched an automated attack on our website and mobile application, using account credentials (e.g. email addresses and passwords ) obtained from a third-party source. Based on our investigation, on February 12, 2023, we discovered that the unauthorized parties subsequently accessed information in your Chick-fil-A One account,” the company said.
> What is credential stuffing and how does it work? (opens in new tab)
> Prevent credential stuffing attacks with attack cost analysis (opens in new tab)
> Check out the best firewalls now (opens in new tab)
During the attack, the attackers obtained information (opens in new tab) such as usernames, email addresses, Chick-fil-A One membership numbers, mobile payment numbers, QR codes, masked credit and debit card numbers, and Chick-fil-A balance amounts. The latter also determines the value of each individual account on the black market. Prices ranged from $2 to $200, and depending on Beeping computerPeople have used stolen accounts to make purchases.
To address the issue, the company forced password resets on its customers, froze funds loaded into accounts, and removed all stored payment information. It also restored account balances and added rewards for people whose accounts were compromised, although technically the company isn’t at fault here.
- Protect your business with the best endpoint protection solutions (opens in new tab) on the market
Above: Beeping computer (opens in new tab)
This article was previously published on Source link
