"Amtrak Says Guest Rewards Accounts Hacked in Credential Stuffing Attacks"

Amtrak is starting to notify some customers that their Guest Rewards Accounts have been hacked.  According to Amtrak, no Amtrak systems were compromised in the attacks, as credential stuffing was employed.  During credential stuffing attacks, threat actors leverage username and password combinations obtained from other data breaches, malware infections, or phishing, in an attempt to gain access to accounts that use the same login credentials.  Amtrak noted that they believe the unauthorized party may have obtained login credentials from third-party sources.  There is no indication that login credentials were obtained from Amtrack's systems.  The national passenger railroad company says that the attackers started accessing the targeted accounts on May 15, 2024, and that they were evicted on May 18, after the credentials for the compromised accounts were reset.  Amtrack says the attackers were seen changing the email addresses for the hacked accounts and accessing profile information, including names, contact details, dates of birth, Amtrak Guest Rewards account numbers, partial credit card numbers and expiration dates, gift card information, and details about transactions and trips.

SecurityWeek reports: "Amtrak Says Guest Rewards Accounts Hacked in Credential Stuffing Attacks"