Many customers of the Chipotle Mexican Grill chain of restaurants are reporting that their accounts have been hacked and that fraudsters are placing large orders on cities away from their location using their credit cards. While this has been reported by several customers on multiple social media platforms, as well as the Chipotle platform, of course, the company has not issued an official announcement yet, playing down the incident by claiming that nothing out of the usual stuffing is currently going on. This means that Chipotle believes that there’s a routine activity of account hacking using stolen credentials from massive data dumps.
However, TechCrunch who brought this to light has asked several of the users who had their account credentials stolen, and many of them responded by saying that their Chipotle account was unique, and so the credential stuffing wouldn’t affect them. There are even cases of customers who didn’t even have an account on Chipotle’s platform, and had just ordered once using the “guest checkout” option. Even this latter category has detected fraudulent activities in their credit cards, which means that the hackers must have breached the restaurant’s payment platform as there’s no other plausible explanation. Still, even when this evidence is produced against Chipotle’s spokespersons, they continue to ascertain that there is no indication of a breach of the private data of their customers.
The privacy and security of our customer information is very important to us. We have no indication of any breach of Chipotle database or systems. We continue to monitor any possible security issues and we are constantly investing in security measures to protect our customers.
— Chipotle (@ChipotleTweets) April 18, 2019
About two years ago, the same chain fell victim of hackers who used malware to steal the payment data of their customers. This was a large-scale attack that affected many hundreds of Chipotle restaurants in the US, Canada, and even the EU, resulting in the loss of customer trust, fall of their shares, and hefty fines. However, this was still not a reason enough for Chipotle to add two-factor authentication on their platform, a practice that they continue to follow to this day.
Even if this is an outbreak of account takeover that is a direct result of a stuffing attack, Chipotle should take the extra protective step and offer that additional layer of security for their customers. Moreover, and since many of the fraudulent orders were placed in different states that where their registered customers reside, adding a fraud-detection and customer protection system that would catch these obvious signs should be a no-brainer. Who knows? Maybe they are enjoying that burst of large orders that accounted for hundreds of dollars in some cases.
Will you be trusting Chipotle with your payment details again in the future? Let us know in the comments section below, and don’t forget to check TechNadu’s Facebook and Twitter where more news, stories, interviews, and reviews are posted daily.