Mexican food lovers in the U.S. are incurring an ‘extra charge’ with their Chipotle accounts, and they are none too happy about it. In fact, they are up in arms on Reddit and Twitter after failing to convince the restaurant chain that hackers are munching on their credit/debit cards.
According to several threads on Reddit and one on Twitter, Chipotle customers in various U.S. states are seeing fraudulent orders in their bank statements, some for hundreds of dollars. As reported by TechCrunch, most complaints involve orders put through their accounts and delivered to addresses in completely different zip codes. Apparently, the hacks have been going on for at least a couple of months.
Some customers swear their passwords are unique to their Chipotle accounts, which would indicate that the restaurant chain has suffered a breach. However, when contacted to provide a statement on the situation, a Chipotle spokesperson said hackers used credential stuffing to compromise the accounts. Credential stuffing is a technique involving stolen credentials from past data breaches, but it only works if the victim uses the same credentials (including the same password) with multiple accounts. In fact, one affected customer reportedly said they didn’t even have an account with the restaurant – rather, they ordered through the guest checkout option.
Chipotle spokesperson Laurie Schalow said the company is “monitoring any possible account security issues” but maintains that Chipotle has no indication of a breach of private data of its customers.
Notably, Chipotle doesn’t offer two-factor authentication with its app. When asked if it will implement it to strengthen account security, the spokesperson told TechCrunch that “We don’t discuss our security strategies.”
Considering that Chipotle is receiving these complaints, it is hardly in a position to deny the press an explanation – especially since 2FA has become a must in today’s digital world. Worse still, victims claim they are having difficulties reaching Chipotle for an answer.
However, some affected customers indeed fell victim to credential stuffing:
“It happened to me,” a Reddit user identified as Thelonius16 writes. “In my case I was using a password that was compromised on another website so it wasn’t really Chipotle’s fault.”
Even so, the hacked accounts are still Chipotle’s problem as long as the fast food chain hasn’t offered the necessary tools (2FA among them) for those customers to protect their accounts against hacks.