"Over 71k Impacted by Credential Stuffing Attacks on Chick-fil-A Accounts"

American fast food restaurant chain Chick-fil-A has started notifying roughly 71,000 individuals that their user accounts have been compromised in a two-month-long credential stuffing campaign.  The company said that following a careful investigation, they determined that unauthorized parties launched an automated attack against their website and mobile application between December 18, 2022, and February 12, 2023, using account credentials obtained from a third-party source.  The fast food company says that the attackers eventually gained access to Chick-fil-A One accounts and to the information available within.  The compromised information, the company says, includes names, email addresses, masked credit/debit card numbers, Chick-fil-A One membership information, and the available Chick-fil-A credit for each account.  In addition, if saved to your account, the information may have included the month and day of your birthday, phone number, and address.  The company noted that, importantly, unauthorized parties would only have been able to view the last four digits of your payment card number.  Chick-fil-A says it has already prompted impacted users to reset their passwords, removed stored credit/debit card payment methods, and temporarily froze any funds that users might have loaded into their Chick-fil-A One accounts.  The company says it has restored account balances for the impacted accounts, which in some cases included refunding to users’ original form of payment, and added rewards to accounts.  Chick-fil-A told the Maine Attorney General’s Office that more than 71,000 individuals were impacted in the incident.

SecurityWeek reports: "Over 71k Impacted by Credential Stuffing Attacks on Chick-fil-A Accounts"