Chick-fil-A restores award balances for customer accounts compromised in data breach

Following an investigation that lasted nearly three months, Chick-fil-A has confirmed a data breach that affected the accounts of over 71,000 customers.

Where it all began

In December 2022, researchers at BleepingComputer reportedthreat actors were selling compromised Chick-fil-A accounts for as little as $2 via ads shared on a Telegram channel.

Reports of compromised online accounts quickly surfaced, with users reporting being locked out of loyalty member accounts and compromised funds via social media.

Long-lasting credential stuffing attacks and compromised users’ data

On March 2, Chick-fil-A submitted data breach notices acknowledging the attack.

"Following a careful investigation, we determined that unauthorized parties launched an automated attack against our website and mobile application between December 18, 2022 and February 12, 2023 using account credentials (e.g., email addresses and passwords) obtained from a third-party source,” the security notice reads. “Based on our investigation, we determined on February 12, 2023 that the unauthorized parties subsequently accessed information in your Chick-fil-A One account."

The months-long credential stuffing attack allowed unrestricted access to 71,473 Chick-fil-A customer accounts to cybercriminals who were able to view and potentially exfiltrate customers’ info, including names, email addresses, Chick-fil-A One membership number and mobile pay number, QR codes, masked credit/debit card numbers, and the amount of Chick-fil-A credit.

Date of birth, phone numbers, physical addresses and the last four digits of credit cards were also exposed for some users. The fast food chain restored balances in accounts that were impacted by the attack.

Following the attack, Chick-fil-A enforced mandatory password resets, froze loaded funds and removed any payment info from customers’ accounts.

Chick-fil-A customers are advised to immediately change the passwords on accounts that used the same login credentials and watch out for phishing and suspicious activity.

Credential stuffing attacks can wreak havoc on security and finances, and users should make sure they create unique and strong passwords for every individual online account.

A trustworthy password manager can help you with the struggles of generating, storing and tracking all of your passwords. This sensitive information is conveniently stored in a locally encrypted database using the highest standard of cryptographic algorithms so no one but you has access to this information.

Bitdefender Password Manager is available as a standalone service or bundled in our Bitdefender Ultimate Security plan also includes award-winning anti-malware and anti-ransomware protection, a Premium VPN and Identity Theft Protection.