You've been redirected from MobilePaymentsToday.com to PaymentsDive.com. In March 2021, Mobile Payments Today became a part of Payments Dive. For the latest payments news, sign up for the daily newsletter.

Chipotle customers targeted in credential stuffing attack

Published

April 18, 2019

Chipotle Mexican Grill has confirmed that it was the target of a cyberattack that resulted in a small number of its customers reporting that food orders placed at the restaurant had fraudulently used their payment cards.

In the past two days, numerous customers have posted on social media and otherwise reported fraudulent charges incurred during the first few weeks of April.

"The privacy and security of our customer information is very important," Laurie Schalow, chief corporate reputation officer at Chipotle told Mobile Payments Today via email. "We have no indication of any breach of Chipotle’s databases or systems."

"We are among the many retail, hotel and restaurant companies affected by credential stuffing, in which combinations of user names and passwords are accessed by third parties and used on websites of different companies to see if they can gain access."

She added that the company continues to monitor any possible security issues and is "constantly" investing in security measures to protect its customers. She said that customers concerned about information security should contact the company’s support team at [email protected].

When Mobile Payments Today asked how customer credit cards could have been used, as indicated in complaints posted on social media sites, Schalow said:

"Through credential stuffing, [an attacker] can access [the customer's] account once they have their user name and password, and place an order, but they cannot see their personal credit card data."

Lorita Ba, vice president of email security provider GreatHorn, said that she had no information about the Chipotle incident outside of published reports. However she did say that the company has seen similar incidents in which old passwords have beeb used to get into user accounts or extort money from victims.

"Our recommendation to the public would be to use a password manager to create unique, difficult-to-guess passwords for all of their accounts, and to regularly check public sources to see if either current or outdated information has been leaked," she said.