[BreachExchange] Chipotle customers stewing over payment card hack

Destry Winant destry at riskbasedsecurity.com
Fri Apr 19 05:03:37 EDT 2019


https://www.scmagazine.com/home/retail/chipotle-customers-stewing-over-payment-card-hack/

Chipotle is receiving some negative customer reviews, but not over its food.

Instead, some customers are saying on Twitter and Reddit that their
payment card information has been hacked and is being used to make
fraudulent purchases at the Mexican food chain. Chipotle denies a
breach has taken place, although company officials did admit to
monitoring possible account security issues, according to a TechCrunch
story. Instead, Chipotle believes these people are victims of
credential stuffing.

Mounir Hahad, head of Juniper Threat Labs at Juniper Networks and
Ameya Talwalkar, co-founder and CPO, Cequence so far are siding with
Chipotle.

Hahad noted that as long as victims are not reporting fraudulent
activity outside Chipotle’s payment site, there is a very good chance
this is just another credential-stuffing scenario. Usually, with
groups like Magecart, the collected credit card information is
recycled into underground forums for sale. It is not used to order
food on the same website.

“To be fully honest, the extent of the damage is probably minimal
because anyone who gets food ordered though a hacked account would
have to give away an address for delivery, which would put them at
risk of prosecution,” he added.

Customers who are primarily affected have an online Chipotle account
with a stored payment card. Many people have reported being charged
for orders that not only they did not place, but also were delivered
to addresses in different cities.

Others tweeted about having difficulty cancelling fraudulent orders,
complaining that the company is not returning messages concerning
refunds. However, it does appear that Chipotle staffers are
contactingthose tweeting about their problems and attempting to help.

SC Media has contacted Chipotle for further information.


More information about the BreachExchange mailing list