An automated credential stuffing attack that affected more than 71,000 customers of Chick-fil-A, an American food chain,for months has been made known to its clients.
Attacks that use automation—often through bots—to test a large number of username-password combinations against targeted online accounts are known as credential stuffing. The practise of users using the same password for numerous online services has made this kind of attack vector possible; as a result, the login information used in credential stuffing attacks is frequently obtained from other data breaches and is made available for purchase from a variety of Dark Web sources.
"Following a careful investigation, we determined that unauthorised parties launched an automated attack against our website and mobile application between December 18, 2022 and February 12, 2023 using account credentials (e.g., email addresses and passwords) obtained from a third-party source," the company said in a letter to those impacted.
Customers' names, email addresses, membership numbers, mobile pay numbers, and masked credit or debit card numbers (meaning that unauthorised parties could only see the last four digits of the payment card number) were among the personal information that was compromised. Some clients' phone numbers, residences, birthdays, and months of birth were also made public.
In response to the attacks, Chick-fil-A said it has deleted stored credit and debit card payment methods, temporarily blocked cash that had been put onto customers' Chick-fil-A One accounts, and restored any balances that had been adversely affected.
Also, the restaurant chain advised customers to change their passwords and use a secure password that is exclusive to the website.
Some people pointed out that even while password reuse or the use of obvious and weak passwords is the users' fault, Chick-fil-A is still somewhat to blame.
"This is the new frontier of information security: Attackers have gained access to these users' accounts not through any failure on the part of the website owner, but rather due to the natural human tendency to reuse username/passwords across multiple sites," says Uriel Maimon, vice president of emerging products at PerimeterX. "Nonetheless, organisations are required by law and morality to protect the private and financial information of their users."
"This underscores the change in paradigm wherein website owners need to not just protect their sites from standard cyberattacks but also safeguard the information they hold on behalf of users. They can achieve this by tracking behavioristic and forensics signals of users logging in in order to differentiate between real users and attackers,”Maimon added.
Rise in credential stuffing attacks
Credential stuffing has increased recently as a result of the massive supply of credentials available for purchase on the Dark Web. According to an analysis this week, the selling of stolen credentials rules underground markets, with more than 775 million credentials available right now.
A credential-stuffing assault that disclosed personal information in January that was targeting roughly 35,000 PayPal user accounts exposed nearly 35,000 PayPal user accounts. In the same month, Norton LifeLock warned users about the dangers of being exposed to its own credential-stuffing assault.
Also, a larger discussion has been sparked by the situation. Some security experts have suggested methods to completely do away with passwords, such as replacing them with security keys, biometrics, and FIDO (Fast Identity Online) technology. This is because nearly two-thirds of people reuse passwords to access various websites.