Security News > 2023 > March > Chick-fil-A confirms accounts hacked in months-long "automated" attack
American fast food chain Chick-fil-A has confirmed that customers' accounts were breached in a months-long credential stuffing attack, allowing threat actors to use stored rewards balances and access personal information.
At the time, Chick-fil-A set up a support page with information on what customers should do if they detect suspicious activity on their accounts.
These accounts were sold for prices ranging from $2 to $200, depending on the rewards account balance and linked payment methods.
One Telegram channel seen by BleepingComputer showed people purchasing these accounts and then sharing pictures of their purchases made through these accounts.
"Following a careful investigation, we determined that unauthorized parties launched an automated attack against our website and mobile application between December 18, 2022 and February 12, 2023 using account credentials obtained from a third-party source."
In response to the attack, Chick-fil-A forced customers to reset passwords, froze funds loaded into accounts, and removed any stored payment information from accounts.