March 3, 2023

A fast-food restaurant chain Chick-fil-A announced that hackers gained access to their customers’ personal information, including names, email addresses, and phone numbers, in a months-long automated attack. The attackers, according to the company, used a technique known as credential stuffing, which involves using stolen login information from other sites to gain access to accounts on the target site.

This warning came after BleepingComputer notified Chick-fil-A just before Christmas about reports of Chick-fil-A user accounts being stolen and sold online in credential-stuffing attacks. Prices for these accounts ranged from $2 to $200, depending on the rewards account balance and linked payment methods.

“Following a careful investigation, we determined that unauthorized parties launched an automated attack against our website and mobile application between December 18, 2022 and February 12, 2023 using account credentials (e.g., email addresses and passwords) obtained from a third-party source. Based on our investigation, we determined on February 12, 2023 that the unauthorized parties subsequently accessed information in your Chick-fil-A One account.” – Chick-fil-A notification.

The fast food chain is alerting account holders that threat actors who hacked their account might have gotten a copy of their private data, including their name, email address, Chick-fil-A One membership number and mobile pay number, QR code, masked credit/debit card number, and the amount of Chick-fil-A credit (e.g., e-gift card balance) on their account (if any).

Birthdays, phone numbers, physical addresses, and the last four digits of credit cards may have been included for some customers. Chick-fil-A forced customers to reset passwords, froze funds loaded into accounts, and removed any stored payment information from accounts in response to the attack.

The sources for this piece include an article in BleepingComputer.