Data breach at Chipotle fast food restaurant, dozens of app accounts were hacked

According to cyber forensics course specialists from the International Institute of Cyber Security (IICS), some users of the fast food chain app Chipotle Mexican Grill report that their accounts have been misused in different locations. Spokespersons for the fast food chain claim that they have not detected any traces of a data breach in their systems.

Through some online platforms, such as Twitter or Reddit, affected users unveiled their experiences, showing clear similarities between the different testimonies. The vast majority of users claim that their accounts were used to order and pay for food at various franchise establishments, even in different states.

“My Chipotle account was recently compromised; someone ordered food and charged the costs to the payment card I kept in the app without my authorization”, said a Reddit user, stressing that this was not the only one case that happened in recent weeks. According to cyber forensics course experts, another Arizona-based Reddit user said a couple of months ago that his Chipotle account had been used to make purchases at some fast food chain establishments in Texas, hundreds of miles away his home.

After user complaints began to generate some impact on social media, the cybersecurity community started to raise the possibility that Chipotle would be a victim of a data breach incident. However, a spokesman for the food franchise stated: “We have found no evidence of security breaches in our systems or databases”.

Cyber forensics course specialists believe that, since there is no data breach in Chipotle, the accounts of the affected users may have been compromised using a cyberattack technique known as credential stuffing attack.

In credential stuffing, the login data stolen from other data breach incidents are used by attackers to try to access other online platforms; this hacking activity depends on the users using the same user name and password in multiple sites.

The company has provided a special section on its website to respond to users concerned about the security status of their accounts and personal information. Specialists believe that these kinds of incidents will keep happening due to the weak security measures used in many Chipotle Grill-like apps. To reinforce these weaknesses, specialists recommend that companies implement multi-factor authentication at least; for users, it is also advisable not to store their payment card data in online apps and platforms with poor security measures.