a stream of Chipotle customers have said their accounts have been hacked and are reporting fraudulent orders charged to their credit cards — sometimes totaling hundreds of dollars.
Customers have posted on several Reddit threads complaining of account breaches and many more have tweeted at @ChipotleTweets to alert the swift food giant of the problem. In most cases, orders were put through under a victim’s account and delivered to addresses often not even in the victim’s state.
Many of the customers TechCrunch spoke to in the past two days said they used their Chipotle account password on other sites. Chipotle spokesperson Laurie Schalow told TechCrunch that credential stuffing was to blame. Hackers take lists of usernames and passwords from other breached sites and brute-force their route into other accounts.
But several customers we spoke to said their password was special to Chipotle. Another customer said they didn’t have an account but ordered through Chipotle’s outsider checkout option.
When we asked Chipotle about this, Schalow said the company is “monitoring any feasible account security issues of which we’re made aware and continue to have no indication of a breach of independent data of our customers,” and reiterated that the company’s data points to credential stuffing.
It’s a similar set of complaints made by DoorDash customers last year, who said their accounts had been improperly accessed. DoorDash also blamed the account hacks on credential stuffing, but could not explain how some accounts were breached even when users told TechCrunch that they used a special password on the site.
If credential stuffing is to blame for Chipotle account breaches, rolling out two-factor authentication would assist prevent the automated login process — and, put an extra barrier between a hacker and a victim’s account.
But when asked if Chipotle has plans to spin out two-factor authentication to preserve its customers going forward, spokesperson Schalow declined to comment. “We don’t discuss our security strategies.”
Chipotle reported a data breach in 2017 affecting its 2,250 restaurants. Hackers infected its point-of-sale devices with malware, scraping millions of payment cards from unsuspecting restaurant-goers. More than a hundred swift food and restaurant chains were also affected by the same malware infections.
In August, three suspects said to be members of the FIN7 hacking and deception faction were charged with the credit card thefts.