Subj : Chick-fil-A confirms customer accounts hacked in months-long cybe
To   : All
From : TechnologyDaily
Date : Fri Mar 03 2023 16:15:03

Chick-fil-A confirms customer accounts hacked in months-long cyberattack

Date:
Fri, 03 Mar 2023 16:05:23 +0000

Description:
Someone's been stuffing Chick-fil-A with stolen passwords, to great success.

FULL STORY
======================================================================

Hackers have been running an automated credential stuffing attack against 
Chick-fil-A, and selling compromised accounts on the black market, the 
company has confirmed to local authorities. 

The fast food chain submitted a security notice with the California Attorney 
Generals Office, in which it said that between December 18 last year, and 
February 12 this year, it suffered a credential stuffing attack. 

Credential stuffing is an automated attack in which the threat actors try 
countless username/ password combinations, usually obtained from other data 
breaches, to see if the information obtained elsewhere was valid on the 
platform being attacked, too. Given that many users often go for the same 
username/password combination across a multitude of services, credential 
stuffing attacks are often a resounding success. Sensitive data stolen 

This also seems to have been the case with Chick-fil-A. 

"Following a careful investigation, we determined that unauthorized parties 
launched an automated attack against our website and mobile application 
between December 18, 2022 and February 12, 2023 using account credentials 
(e.g., email addresses and passwords) obtained from a third-party source. 
Based on our investigation, we determined on February 12, 2023 that the 
unauthorized parties subsequently accessed information in your Chick-fil-A 
One account," the company said. Read more 

> What is credential stuffing, and how does it work? 


 > Prevent credential stuffing attacks through attack cost analysis 


 > Check out the best firewalls right now 

During the attack, the threat actors got ahold of information such as users 
names, email addresses, Chick-fil-A One membership numbers, mobile pay 
numbers, QR codes, masked credit and debit card numbers, and the amount of 
Chick-fil-A credits. Its the latter that also determined the value of each 
individual account on the black market. The prices ranged from $2 to $200, 
and according to BleepingComputer , people have been using stolen accounts to 
make purchases. 

To tackle the issue, the company forced password resets on its customers, 
froze funds that were loaded into accounts, and removed any stored payment 
information. It also restored account balances and added rewards to people 
whose accounts had been compromised, even though technically, the company is 
not at fault here. Keep your businesses safe with the best endpoint 
protection solutions on the market 

Via: BleepingComputer



======================================================================
Link to news story:
https://www.techradar.com/news/chick-fil-a-confirms-customer-accounts-hacked-i
n-months-long-cyberattack


--- Mystic BBS v1.12 A47 (Linux/64)
 * Origin: tqwNet Technology News (1337:1/100)

.