American fast-food restaurant chain Chick-fil-A is investigating what it described as “suspicious activity” linked to some of its customers’ accounts.
“We are investigating suspicious activity on some customer accounts,” the company said in an alert displayed on its official website on Friday and first spotted by security researcher Dominic Alvieri.
“We are committed to protecting customers’ data and are working quickly to resolve the issue.”
A support page on Chick-fil-A’s One Membership Program customer support website provides potentially affected clients with details on what to do if they notice unusual activity on their accounts, if they see any mobile orders placed without their approval, or if they’re loyalty points were used to redeem or gift rewards fraudulently.
In the event that they observe anything unusual, customers are advised to immediately change their passwords to new ones that unique, complex, and not used on other online platforms or accounts.
They should also remove any stored payment methods, such as credit or debit cards, from their Chick-fil-A One accounts by going into the Chick-fil-A app, into the Account menu and clicking “Manage payment methods.”
Details on what to do if their Chick-fil-A One accounts were used to place mobile orders without their knowledge are available here.
Hacked Chick-fil-A accounts sold online
Today’s warning comes after BleepingComputer emailed the company before Christmas regarding reports that Chick-fil-A user accounts were being breached in credential-stuffing attacks.
While we are yet to receive a reply, a threat intelligence researcher had told BleepingComputer at the time that the hijacked accounts are used with disposable email addresses to buy food in widespread attacks (a tactic Chick-fil-A customers were warned about today).
Some of the stolen accounts are being sold for $2 to $200, depending on the account balance, linked payment method, or Chick-fil-A One points (rewards points) balance.
Chick-Fil-A has since disabled the creation of new accounts and banned the use of disposable email addresses, requiring threat actors to use legitimate email services for hijacking accounts.
A Chick-fil-A One spokesperson was not immediately available for comment when contacted by BleepingComputer again earlier today.