Over the past week, Chipotle customers have taken to social media to post about fraudulent charges on their credit cards.
Between Reddit and Twitter, customers have complained about the charges made to their accounts—some totaling hundreds of dollars. Many customers that used their Chipotle password on other sites have been a part of the recent hacks, TechCrunch reported. However, the hack wasn’t limited to customers those customers. Customers who used Chipotle’s guest checkout option or who have unique Chipotle passwords told TechCrunch they also experienced weird activity on their accounts.
Chipotle spokesperson Laurie Schalow said that credential stuffing was to blame, according to TechCrunch. The tactic is used by hackers who take passwords and usernames from breached sites and then force their way into other accounts.
Schalow said the company is “monitoring any possible account security issues of which we’re made aware and continue to have no indication of a breach of private data of our customers,” and reiterated that the company’s data points to credential stuffing as a cause for the recent hacks.
In 2017, most of Chipotles 2,250 restaurants, at the time, were hit by a breach that lasted from March 24 and April 18. The malware in that breach took data from cards when it was swiped on the POS devices.
It's unclear how widespread this new breach is and how long hackers were collecting data. Schalow declined to comment about how Chipotle plans to remedy the current breach of customer information telling TechCrunch, “We don’t discuss our security strategies.”
Dunkin’, in November 2018, suffered an authorized breach of its rewards program. In April 2018, it was revealed that up to 37 million customers could have been affected by information possibly leaked on Panera’s website. Applebee’s faced down a hack of 160 units in March, while in limited service, Jason’s Deli, Arby’s, Sonic Drive-In, Pizza Hut, and Wendy’s grappled with breaches in recent years.