Recently, fellow technology publication TechCrunch reported on a potential security event at Chipotle, the Mexican fast-food provider. According to the article, Chipotle application consumers complained of fraudulent charges to their accounts via social media and online forums.
Experts Commented below:
Byron Rashed, VP of Marketing at Centripetal Networks:
“This could be a case of credential stuffing. Many cybercriminals and cyber gangs use algorithmic and other automation to access sites with compromised credentials from other breaches. If it’s true that some victims claim the password is unique to Chipotle, then it’s quite possible they suffered a breach. However, it is also quite possible that the unique passwords associated with their Chipotle accounts could have been derived through password cracking automation by the threat actor since they would have had their email (username).”
“Many passwords associate people, places, etc. in one’s life. Threat actors will also leverage a victim’s social media presence to ‘guess’ passwords that can contain a spouse, child or pet’s name that is easy to remember with some basic characters such as ‘dog’s name 123,’ or something similar where automation can produce a myriad of possible passwords.”