Credential stuffing is one of the many forms of cyberattacks on the rise. It's a low-risk, low-cost automated method. It uses bots to access username-password combinations from past data breaches. It then uses that information to exfiltrate data from a new target system. It relies on people's habit of reusing the same login credential across various sites.
Chick-fil-A is one of the most recent victims of a credential stuffing attack. That proves that even large companies aren't exempt from these malicious attempts. Here's everything you need to know about the incident so you can stay informed.
A Timeline of the Chick-fil-A Credential Stuffing Attack
Chick-fil-A was alerted of the credential stuffing attack before Christmas last year. Chick-fil-A was notified of user accounts that had been stolen and were being sold online. These accounts ranged from $20 to $200. The price increased if they contained high rewards and payment information.
Through further investigation, Chick-fil-A discovered that it suffered several automated attacks. They happened in a months-long data breach between Dec. 18, 2022, and Feb. 12, 2023. The threat actors targeted the fast food company's mobile application and website. Eventually, they gained access to user information from Chick-fil-A One accounts. The fast food company alerted the affected customers through a notification letter.
Consequences of the Chick-fil-A Credential Stuffing Attack
The Chick-fil-A credential stuffing attack affected over 71,000 individuals. The compromised information included names, debit and credit card numbers, and email addresses. The threat actors also accessed Chick-fil-A One membership details and Chick-fil-A credit. Some customers might have more information exposed. They are those who saved their birthdays, home addresses, and phone numbers.
Chick-fil-A urged the affected individuals to change their passwords and delete payment
information. The company also froze existing balances and restored stolen funds.
The Bottom Line
As seen from the Chick-fil-A credential stuffing incident, data breaches have severe
consequences. Aside from losing money and sensitive information, you can lose your customers' trust. That's why business owners must invest in data protection. It will help you preserve your brand's reputation and win your customers' support.