Risks associated with poor password hygiene are hitting home for 71,000 Chick-fil-A customers who have been notified that their online customer loyalty accounts have been compromised via an automated credential-stuffing attack.
Data pilfered from Chick-fil-A customers include names, email addresses, obfuscated credit and debit card numbers, Chick-fil-A One membership information and Chick-fil-A food credits. According to breach disclosure information shared with multiple state attorney general offices, the credential-stuffing campaign targeting Chick-fil-A customers for the past two months.
“Following a careful investigation, we determined that unauthorized parties launched an automated attack against our website and mobile application between December 18, 2022 and February 12, 2023 using account credentials (e.g., email addresses and passwords) obtained from a third-party source,” Chick-fil-A said.
Credential stuffing is when adversaries use usernames and passwords, typically sourced on illicit online forums, and programmatically attempt to use them on random online accounts. The hope by criminals is that users are lazy and reuse passwords across multiple online services.
According to the Verizon’s 2023 Data Breach Investigations Report (PDF) poor password hygiene is a leading contributor to breached businesses. Poor password management includes password reuse, weak passwords, default credentials and phishing or pretexting attacks that con users into revealing usernames and passwords.
Eighty percent of successful breaches that targeted web applications exposed via an enterprise external attack surface are tied to stolen credentials, Verizon reported.
“There’s been an almost 30% increase in stolen credentials since 2017, cementing it as one of the most tried-and-true methods to