UPDATED 23:18 EDT / APRIL 18 2019

SECURITY

Chipotle customers claim their accounts were hacked

History may be repeating for Chipotle Mexican Grill Inc. as customers claim their accounts have been hacked, with fraudulent orders charged to their credit cards.

First reported Wednesday by TechCrunch, the details of what has happened is not clear but may have involved credential stuffing, a type of cyberattack in which previously stolen credentials are used to make purchases. Chipotle had suffered from a hack that involved credit card-stealing malware on its retail network in April 2017.

According to threads on Reddit and Twitter, some Chipotle customers have reported that up to $300 has been charged to their credit cards for purchases from Chipotle outlets hundreds of miles from where they’re physically located.

“My account was hacked, someone ordered $42 worth of food, and used my saved credit card info to pay for it,” one customer said in a tweet to Chipotle on Twitter. “I reached out to the store and have contacted you via your website with no response. Can I get some help getting a refund?”

Chipotle has denied being hacked, saying that it was “monitoring any possible account security issues of which we’re made aware and continue to have no indication of a breach of private data of our customers.”

Stephen Cox, chief security architect of SecureAuth Corp., explained to SiliconANGLE that credential stuffing is the process of acquiring a cache of previously stolen credentials and using them, often in an automated fashion, to gain unauthorized access to a resource.

“It is a popular technique for attackers looking to break into both consumer and enterprise accounts because people often reuse passwords across multiple accounts,” Cox said. “This swell of consumer account breaches is unfortunately common today and is evidence that our continued reliance on passwords is not sustainable and ultimately fails users. Decades of experience shows us that the password is an archaic method of authentication, often not under the control of the user, and simply isn’t enough to satisfy today’s threat landscape.”

The reality, he added, is that people will continue to reuse passwords across multiple resources, allowing stolen credentials to be used as they apparently have for defrauding Chipotle customers.

Photo: Miosotis Jade/Wikimedia Commons

Since you’re here …

… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.

Cookies

We employ the use of cookies. Find out more.