Chipotle customers say their accounts have been hacked – TechCrunch

A group of Chipotle customers said their accounts had been hacked and reported fraudulent orders billed on their credit cards, sometimes up to several hundred dollars.

Customers have posted on several Reddit discussions complaining about account violations and many more tweeted at @ChipotleTweets alert the giant of the fast food problem. In most cases, orders were placed on the victim's account and delivered to addresses that are often not in their state.

Many customers with whom TechCrunch has serviced over the past two days have reported using the pbadword of their Chipotle account on other sites. Chipotle spokeswoman Laurie Schalow told TechCrunch that the stuffing of credentials was to blame. Hackers take lists of user names and pbadwords from other sites violated and force them to clear their way to other accounts.

But many of the clients we talked to said that their pbadword was unique to Chipotle. Another customer said he did not have an account, but ordered through the payment option as a Chipotle guest.

When we questioned Chipotle about this, Schalow stated that the company "monitors all the security issues of the accounts we have been informed of and that there is no evidence of a breach of our customers' private data", and reiterated that its Data points to stuffing identification information.

This is a similar set of complaints filed by DoorDash customers last year that claimed their accounts were misused. DoorDash also blamed hackers for accounts on the id stuffing, but could not explain the violation of some accounts even when users told TechCrunch that they were using a unique pbadword on the site.

If the credential stuffer is causing Chipotle account violations, deploying a two-factor authentication would help to prevent the automated login process – and would create an additional barrier between a hacker and the account of a victim.

But when asked if Chipotle planned to implement two-factor authentication to protect his customers in the future, Schalow spokesman declined to comment. "We are not discussing our security strategies."

Chipotle reported a data breach in 2017 affecting its 2,250 restaurants. Hackers have infected its point-of-sale devices with malware, scraping millions of payment cards from users attending unsuspecting restaurants. More than a hundred fast food chains and restaurants were also affected by the same malware infections.

In August, three suspects belonging to the FIN7 hacking and fraud group were charged with stealing credit cards.