Rumors are circulating of a potential data breach at Chipotle. Back in 2017, Chipotle was hit with a vicious malware attack that hijacked point of sale (POS) machines, which stole credit card data from those swiping within the store.
In the latest installment of security drama at Chipotle, customers of the chain took to social media claiming that their online Chipotle accounts had been hacked and food had been ordered without their knowledge from several states away.
So, what’s really going on with Chipolte hacks in 2019? And is it time to drop the burrito and walk away from our favorite Mexican grill?
First Reports of the Chipotle Hack
Social media sites such as Reddit and Twitter became breeding grounds for the Chipotle hack conspiracy. Was the company penetrated or did they lose control of their data in a breach?
After being tagged online, Chipotle’s corporate office responded to these reports, mentioning that they had no indication that they had been breached and that the attacks looked to be the result of password stuffing.
Was It Really a Hack?
At this point, it’s too early to tell. Chipotle says that they do not discuss their internal security measures. But if you’ve ordered food through Chipotle’s online service, it’s probably best to log in, change your password, and remove any payment information that you might saved within the interface.
If you feel hungry and decide you’d like to eat some Chipotle, you could then re-add a new payment method at that time. Or you could always elect to pay with cash at the store and remove your payment information completely.
Since it’s too early to tell if it was really a hack, we’ll have to go with credential stuffing as the most likely thing that happened here.
What Is Credential Stuffing?
Let’s say you created an online email account and you made the password something super-simple to guess like “Bob123” or your date of birth or the street number of your home address.
You proceed to use that same password across other platforms. As time goes on, those platforms get hacked and your email account and your “Bob123” password are now leaked, in tandem, as a possible working combination for your identity on an additional app or website.
Chipotle’s corporate office is suggesting that this is precisely what has happened in their newest wave of negative press. If you use the same password across multiple platforms, you are breaking one of the #1 rules of digital security – use unique (and hard to guess) passwords for every website you log into.
How Did Password Stuffing Become a Problem?
Your identity is tied to your reputation. While getting back stolen funds will likely take a simple phone call to your bank, the Chipotle Hack of 2019 can teach us some very valuable lessons.
When you create usernames and passwords on websites such as Twitter and LinkedIn, you probably did so thinking that these large companies had the best information security practices in place.
Unfortunately, LinkedIn and Twitter were both breached and various other notable apps and websites like these two Internet giants have had their entire user databases leaked on the Dark Web.
Hackers trade this data with teams of criminals located all around the world that will try to exploit this data by using the breached combinations on various other platforms.
Are You Vulnerable to a Credential Stuffing Attack?
One of the easiest ways to gain access to someone’s account is to see if their credentials have been leaked from another service.
A survey conducted by BitDefender found that 59% of end users use the same password across different platforms despite knowing the dangers.
You should be vigilant in preventing your credentials from being stolen or leaked online. Sometimes hacks and data breaches go undetected for months and years.
Steps to Prevent Password Stuffing Attacks
One of the easiest ways to prevent a password stuffing attack is to use a reputable password manager for all of your online accounts. You might also want to consider getting throwaway email accounts for unimportant online memberships that do not require you to pay for anything.
The idea behind this is simple. You must assume that your password will be leaked onto the Dark Web at some point in time. With the FBI’s recent advisory about Business Email Compromise being on the rise, we must be vigilant in protecting access to your online email accounts. Especially the ones that are tied to financial services.
Most of us can access our email through Gmail, Office 365, or some other webmail solution. When you sign up for these, see if you can implement two-factor authentication so that you always get a code to enter when you go to log in to your accounts. This might seem annoying at first, but it’s a necessary step in protecting yourself against password stuffing attacks.
Rethinking Your Digital Security
Just think, if a hacker or a scammer can gain access to your Chipotle account, what else can they do, besides order some burritos? You have way too many personal details out there on the Internet to not take an active role in keeping your data safe.
In today’s ever-evolving world, criminals are becoming more emboldened than ever. No longer does a criminal need to break into your home, they simply use a computer to steal your online identity.
Protect yourself against password stuffing attacks and other forms of sinister hacking by signing up for a top-rated identity protection service. Once you have experts keeping an eye on your personal info for you, worrying about identity (or burrito) theft can take a backseat to more important things like doing your job or spending time with your family.