According to cyber forensics course specialists from the International Institute of Cyber Security (IICS), some users of the fast food chain app Chipotle Mexican Grill report that their accounts have been misused in different locations. Spokespersons for the fast food chain claim that they have not detected any traces of a data breach in their systems.
Through some online platforms, such as Twitter
or Reddit,
affected users unveiled their experiences, showing clear similarities between
the different testimonies. The vast majority of users claim that their accounts
were used to order and pay for food at various franchise establishments, even
in different states.
“My Chipotle account was recently compromised;
someone ordered food and charged the costs to the payment card I kept in the
app without my authorization”, said a Reddit user, stressing that this was
not the only one case that happened in recent weeks. According to cyber
forensics course experts, another Arizona-based Reddit user said a couple of
months ago that his Chipotle account had been used to make purchases at some
fast food chain establishments in Texas, hundreds of miles away his home.
After user complaints began to generate some
impact on social media, the cybersecurity community started to raise the
possibility that Chipotle would be a victim of a data breach incident. However,
a spokesman for the food franchise stated: “We have found no evidence of
security breaches in our systems or databases”.
Cyber forensics course specialists believe that,
since there is no data breach in Chipotle, the accounts of the affected users
may have been compromised using a cyberattack technique known as credential
stuffing attack.
In credential stuffing, the login data stolen
from other data breach incidents are used by attackers to try to access other
online platforms; this hacking activity depends on the users using the same
user name and password in multiple sites.
The company has provided a special section on
its website to respond to users concerned about the security status of their
accounts and personal information. Specialists believe that these kinds of
incidents will keep happening due to the weak security measures used in many Chipotle
Grill-like apps. To reinforce these weaknesses, specialists recommend that
companies implement multi-factor authentication at least; for users, it is also
advisable not to store their payment card data in online apps and platforms
with poor security measures.
