Right in their wallets! What'd you think I was going to say? Sheesh.
Anyways... People who've stored their credit card information on Chipolte.com might want to check their account. Users from all over are reporting that someone is using the Chipolte website to order massive amounts of food on their tab.
And if eating there wasn't enough of a punch in the gut already Chipolte doesn't seem all that bothered. According to TechCrunch, a spokesperson from the company is quoted as saying they're "monitoring any possible account security issues of which we're made aware and continue to have no indication of a breach of private of our customers."
Until Chipolte checks under each E Coli infected burrito for the cause of the problem, experts believe this to be a credential stuffing attack.
What is Credential Stuffing?
Credential stuffing is a type of cyberattack where stolen account credentials typical consisting of lists of usernames and/or email addresses and the corresponding passwords (often from a data breach) are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application.
Unlike credential cracking, credential stuffing attacks do not attempt to brute force or guess any passwords - the attacker simply automates the logins for thousands to millions of previously discovered credential pairs using standard web automation tools like Selenium, cURL, PhantomJS or tools designed specifically for these types of attacks like Sentry MBA.
Credential Stuffing attacks are made possible because many users will reuse the same password across many sites, with one survey reporting that 81% of users have reused a password across two or more sites and 25% of users use the same password across a majority of their accounts.
How do you stop a Credential Stuffing attack?
There are a couple of ways:
1. Stop using the same password for multiple websites
You know who you are. NIST recommends people use at least 8 characters when creating a password. That can include spaces, special characters and even emojis. If you're having a hard time coming up with one there are even password generators built into most OS and internet browsers.
You really have no excuse.
2. Enable Two-Factor authentication
Two-factor authentication (or Multi-factor authentication) is a type, or subset, of multi-factor authentication. It is a method of confirming users' claimed identities by using a combination of two different factors: 1) something they know, 2) something they have, or 3) something they are.
If you're like most people and you use online accounts to shop, or do business, this added level of security can make all the difference when it comes to something like a credential stuffing attack. The hacker might get your username and password but with out the two-factor authentication piece the likelihood of them getting into your account drops drastically.
3. Enable software like Cloudflare Bot Management to protect your website
Since most credential stuffing attacks are seemingly bot driven, it makes sense to look into software that could potentially protect your domain from bad bots all together. Cloudflare offers up a bot management service that's really worth looking at.
We already leverage Cloudflare's services (both as a customer and reseller) and we couldn't be happier with what they offer. Their bot management software looks promising.
4. Periodically scan the dark web for leaked credentials
The dark web is a scary place. You can find all sorts of things on there, most of which would probably keep you up at night if you stumbled upon them.
However, one of the most mundane yet prominent things are stolen credentials (usernames and passwords) that have been put up for sale.
Security7 Networks offers a FREE leaked credential report service that you can use to see if any of your user credentials from your business or domain have been leaked on the dark web, potentially making you a target for attackers.
What's next for Chipolte?
Who knows. This isn't the first time they've been attacked (on the internet...not the digestrive track...well at least not lately). Just a few years ago 2,250 Chipolte restaurants (so pretty much all of them nationwide) were affected by an attack that left malware on their point-of-sale systems.
Chipolte never disclosed how many customers were affected but it was probably quite a few.
Honestly though, while I feel for anyone that gets hacked or has their credentials stolen, it all comes down to making better decisions. Don't buy food online using your credit card, especially if its from a highly trafficked, high profile vendor like Chipolte.
On the other hand, if you're going into the store, it might be a good idea to pay cash for your purchase. It's not always convenient or easy but it might be worth it, especially if you can't trust the vendor to prioritize the handling of PCI info correctly.