[BreachExchange] Nando’s Customers Hit by Credential Stuffing Attacks

[Destry Winant]

https://www.infosecurity-magazine.com/news/nandos-customers-hit-credential/

Some customers of popular high street eatery Nando’s have been left
hundreds of pounds poorer after cyber-attackers hijacked their online
accounts to place large orders.

Reports in UK media revealed that multiple customers of the peri-peri
chicken chain have had their accounts compromised. Due to COVID-19
restrictions, customers must now scan a QR code in store and order
online to get their food.

However, that has left the door open to attackers trying previously
breached log-ins from other sites to hijack their accounts, when those
credentials are reused by the victims.

According to one report, a group of young people fraudulently placed
two large orders in-store, after trying and failing several times to
use hijacked accounts.

Nando’s said it would reimburse any customers scammed in this way, and
promised to get better at spotting fraudulent account activity.

“We can confirm that while our systems have not been hacked,
unfortunately some individual Nando customer accounts have been
accessed by a party or parties using a technique called
‘credential-stuffing,’ whereby the customer's email address and
password have been stolen from somewhere else and, if they use the
same details with us, used to access their Nando’s accounts,” it added
in a statement.

There were 64 billion such credential stuffing attempts between July
2018 and June 2020, in the retail, hospitality and travel sectors,
according to Akamai data released last week.

Brian Higgins, security specialist at Comparitech, argued that this
kind of fraud has become more common during the pandemic as
hospitality venues implement online ordering platforms to help protect
staff and customers.

“The security of these platforms is always going to be questionable
and it is absolutely vital that customers take their own security
measures seriously. Never use the same password for more than one
application, whether it’s your bank account, your Facebook page, your
Deliveroo account or anything else,” he continued.

“If attackers, as in this case, can steal the password to one app,
they will have access to them all. Password management is a pain but
feeding someone else’s friends at Nando’s is worse."