Chipotle Customers Say Hackers are Ordering Through Their Accounts

As online ordering and delivery quickly become the norm for fast-casual and quick-service chains, the rollout of new applications can be a siren song for hackers. TechCrunch reports that a string of Chipotle customers are posting on Reddit and tweeting at Chipotle that they were charged for food that was delivered to other states. The customers’ accounts and credit card information was hacked, leading to hundreds of dollars in fraudulent charges.

A Chipotle spokesperson blamed the breach on credential stuffing—tapping into usernames and passwords that consumers use on both Chipotle’s app and on other sites that have been hacked—saying the chain sees “no indication of a breach of private data of our customers.” However, several allegedly hacked individuals TechCrunch spoke with said the password they use for Chipotle is unique to that account. One person even said they never even created a Chipotle account, but had checked out as a guest in the past.

TechCrunch reports that if credential stuffing is the issue, two-factor authentication would help prevent breaches like this. “But when asked if Chipotle has plans to roll out two-factor authentication to protect its customers going forward, spokesperson Schalow declined to comment,” writes TechCrunch.

Read the full article here.