Chick-fil-A Admits Accounts Hacked In “Automated” Attack

By   Adeola Adegunwa
Writer , Informationsecuritybuzz | Mar 03, 2023 02:45 am PST

Chick-fil-A, an American fast food company, has acknowledged that consumers’ accounts were compromised in a months-long credential stuffing assault, giving threat actors access to personal data and the ability to use saved reward balances. Chick-fil-A started looking into what it called “strange activity” on consumers’ accounts in January.

Chick-fil-A created a support page at the time with instructions for customers on what to do if they see strange behavior on their accounts. Around Christmas, an email was sent informing them of allegations of user accounts at the restaurant being stolen in credential-stuffing attacks and sold online.

Depending on the rewards account balance and associated payment methods, these accounts were sold for prices ranging from $2 to $200. In a security alert today, Chick-fil-A verified what we had been reporting, indicating that between December 18, 2022, and February 12, 2023, they had experienced a credential stuffing assault.

Chick-fil-A Confirms The Attack On Credentials

“After conducting a thorough investigation, we came to the conclusion that between December 18, 2022, and February 12, 2023, unauthorized parties used account credentials (such as email addresses and passwords) acquired from a third-party source to launch an automated attack against our website and mobile application.

Our investigation led us to conclude that unauthorized parties had access to your Chick-fil-A One account on February 12, 2023.” – A Chick-fil-A warning. Customers who were affected by the breach are being warned by the fast food chain that threat actors who gained access to their accounts would also have had access to their names and email addresses.

Also, Chick-fil-A One membership number, mobile pay number, QR code, masked credit/debit card number, and the amount of Chick-fil-A credit (such as the balance of an e-gift card) on their account (if any).

The details could have included the last four digits of credit cards, phone numbers, physical addresses, and birthdays for some clients. Following the hack, Chick-fil-A required customers to change their passwords, freeze money in their accounts, and delete any payment information that had been saved.

As an additional expression of regret, Chick-fil-A claims to have restored the balances of affected customers’ Chick-fil-A One account and added prizes.

Users who were affected must change their passwords at all websites they often visit, especially if they use the same Chick-fil-A password, as the accounts were compromised using credentials exposed in prior data breaches.

Use different passwords for each site when changing your passwords, and save them all in a password manager like Bitwarden so you can manage them.

Customers who were affected should be on the alert for possibly targeted phishing emails using this information, even though there is no proof that personal information was misused.

Best Practices To Protect From Hackers

Cybercriminals are constantly seeking new ways to access your information, so you should do the same to keep it secure. Working with a cybersecurity expert or business that keeps data secure and up to date-in your system is the best method to accomplish this. Although it is frightening to consider that hackers are continuously coming up with new ways to conduct crimes, as long as you stay on top of things, you can dramatically reduce risk and prevent the loss of your customers’ information. Your clients will respect you for it.

Protect your Wi-Fi

In order to browse the internet or speak with friends while waiting for their meals, customers prefer restaurants with Wi-Fi. Nevertheless, it poses a risk because Wi-Fi is open to others, including hackers. Make sure your network has strong encryption and requires passwords to prevent this. Also, consider setting up a distinct Wi-Fi network for your visitors.

Ensure staff are on the lookout

Know that human mistake is the most common primary source of most breaches? Informing your team of techniques to stop hackers will help keep your restaurant secure because even a tiny error can have serious repercussions. It is common practice for restaurant managers to instruct personnel on what to do in the event of a heist. Therefore, you should similarly instruct staff about breaches. Include security training in your employee manual or include it in your training program.

Strictly regulate access to sensitive information

Only some team members need to be aware of a customer’s credit card information or address, even though they are in charge of processing consumers. Your clients will feel more secure knowing that only selected workers have access to their information. Be sure that only people in charge of sensitive information may view it by evaluating your operating system. Check to see whether your program can set up several levels of account access so you can keep track of who sees what.

Research third-party vendors

Many restaurants collaborate with third parties, like delivery services, to make their establishments simpler to find and order from. At the same time, you can grow your clientele. As a result, third-party vendors pose a severe data security risk. It would be best if you audited them before choosing to collaborate with them because Your data shouldn’t be accessible to them.


An American fast food chain called Chick-fil-A has admitted that accounts belonging to customers were hacked during a months-long credential stuffing attack, providing threat actors access to personal information and the ability to spend saved reward balances. Since January, Chick-fil-A has been investigating what it refers to as “unusual behaviour” on customer accounts.

Customers may find guidance on Chick-fil-help’s page at the time on what to do if their accounts started acting strangely. Around the time of Christmas, Chick-fil-A alerted them to claims that user accounts at the restaurant had allegedly been hijacked through credential-stuffing assaults and sold online. These accounts were offered for sale for a price ranging from $2 to $200, depending on the rewards account balance and related payment options.

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x