Jason's Deli Accounts Compromised by Credential Stuffing

Deli Dollars loyalty accounts hit with stolen credentials from the Dark Web, potentially exposing the personal data of more than 340,000 customers.

Jason's Deli storefront
Source: William Morgan via Alamy Stock Photo

Texas-based soup and sandwich slinger Jason's Deli is alerting members of its Deli Dollars rewards program that their personal data was potentially exposed in a credential-stuffing attack.

The accounts were compromised with genuine logins gathered from the Dark Web from previous breaches of other systems, according to Jason's Deli's filing with the Maine Attorney General's office, potentially impacting more than 344,000 customers.

The customer notification read in part, "On December 21, 2023, we learned that an unauthorized party had obtained an unknown number of Deli Dollar and online account login credentials (usernames and passwords) most likely from other data breaches or other sources not involving Jason's Deli. These unauthorized parties apparently used these login credentials to determine if they matched those of our reward and online accounts."

As a result, the threat actors were able to compromise Deli Dollars accounts and access associated details, including names, addresses, phone numbers, birth dates, preferred store location, order history, contacts for group orders, house account numbers, Deli Dollars points, and available rewards, as well as partial credit and payment card numbers, according to the notice Jason's Deli is sending out to customers.

MFA, Access Management Stop Credential Stuffing

The restaurant chain is encouraging its Deli Dollars members to update their login credentials, especially if they're using the same username and password for other accounts.

This breach highlights the folly of reusing passwords across accounts, and the need for multifactor authentication (MFA), password managers, and implementation of secure and effective access management, according to Joseph Carson, chief security scientist and advisory CISO with Delinea.

"For businesses and services that provide online accounts, it is a reminder that when you allow users to choose their own passwords and store sensitive data on your systems and do not enforce strong passwords best practices ... it will result in users' accounts eventually being compromised," Carson explained.

Carson added he's noticed an uptick in successful credential-stuffing attacks.

Lionel Litty, chief security architect at Menlo Security, also favors some sort of MFA tool.

"While MFA is crucial for password reuse and credential stuffing, not all MFA solutions offer equal protection," Litty said. "To truly get the full value from MFA and ensure comprehensive protection, organizations must invest in phishing-resistant MFA. By doing so, they not only mitigate the risks associated with password compromise but also elevate their overall cybersecurity posture."

Sandwiches are proving to be satisfying for bad actors. Just last week, fellow fast-casual sandwich chain Subway was the victim of a LockBit 3.0 ransomware cyberattack. The infamous ransomware group claimed it stole hundreds of gigabytes of financial data, including employee salaries, as well as royalty and commission payments.

About the Author

Becky Bracken, Senior Editor, Dark Reading

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights