Chick-fil-A, a popular fast-food chain in the US, is said to have been investigating a suspicious activity they detected in some customers’ user accounts. The announcement was posted last January 5 on the restaurant’s official website and social media platforms.
Security researchers have contacted Chick-fil-A before the holidays to report to them about dark web actors selling the restaurant’s user accounts obtained from a credential-stuffing attack. These stolen user accounts are allegedly offered on underground markets from $2 to $200 depending on the remaining balance on the said account or its Chick-fil-A reward balance points.
The company has yet to respond to the researchers’ attempts to communicate.
Chick-fil-A customers were alarmed after hackers emptied their loyalty points.
The restaurant’s customers also took their frustration online after receiving notifications about their user accounts being emptied of loyalty points because of a security breach. Because of these concerns, Chick-Fil-A’s management began to disable the creation of new user accounts and prohibited people from using disposable email addresses and instead using their legitimate ones.
Meanwhile, the fast-food chain’s management published a One Membership Program support page on its website that customers can visit to learn more about the incident. On the page, customers will be guided about what they could do if they detect suspicious activity on their account, if a fraudulent order was placed on behalf of their user account, and if their loyalty points were used to redeem rewards fraudulently.
Additional queries or feedback not included on the support page are also welcome, as the company allows people to submit tickets or contact them through their hotline.
Since this security issue that affected Chick-fil-A could be damaging to their wide range of patrons, the restaurant assured that they are working quickly to resolve it and assured to be committed to protecting customers’ data.
Users are advised to change their old passwords to new, unique, and complex ones that are not used on other social or online accounts. It is also recommended that, for now, users must remove any payment methods they have set before, including their credit and debit cards, to stop malicious actors from misusing them.