Customers of fast food chain Chipotle are reported by TechCrunch to have had their accounts hacked. The company says it believes credential stuffing might be the cause, but some customers have said their passwords are unique to the Chipotle account, and others note that they don’t have accounts and used Chipotle’s guest checkout.
Ameya Talwalkar, Co-founder and CPO at Cequence:
“Without fully understanding all of the details of the attack, organizations like Chipotle are faced with the following challenges. On the dark web, attackers have a rich repository of user credentials, attack automation tools and compromised computing resources. With those three elements in hand, they will use automation to takeover a user account, and then either resell it on the dark web or as was the case in this attack, use it for their own benefit.
“To prevent these types of attacks, organizations have deployed Early, 1st generation credential stuffing/bot mitigation solutions that either require application instrumentation or ongoing SDK updates for each of the web, mobile and API-based application entry points. If each of the new apps or updates require instrumentation, or an update to the SDK in order to be protected, then one of two things may happen. Security is bypassed or the project is delayed. Neither of which is acceptable to the business. Ideally, as organizations move towards cloud-native application development methodologies, security becomes part of the workflow, seamlessly and intelligently protecting public facing apps as they are deployed, or updated.”