Fried chicken specialist Chick-fil-A has alerted customers to an automated credential stuffing attack that ran for months, impacting more than 71,000 of its customers, according to the company.

Credential stuffing attacks employ automation, often through bots, to test numerous username-password combinations against targeted online accounts. This type of attack vector is enabled through the common practice of users reusing the same password across various online services; thus, the login info used in credential stuffing attacks is typically sourced from other data breaches and are offered for sale from various Dark Web sources. 

"Following a careful investigation, we determined that unauthorized parties launched an automated attack against our website and mobile application between December 18, 2022 and February 12, 2023 using account credentials (e.g., email addresses and passwords) obtained from a third-party source," the company noted in a statement sent to those affected.

The compromised personal information included customers' names, email addresses, membership numbers and mobile pay numbers, as well as masked credit or debit card number — meaning unauthorized parties could only view the last four digits of the payment card number. Phone numbers, addresses, and birthday and month were also exposed for some customers.

Chick-fil-A added that in the wake of the attacks, it has removed stored credit and debit card payment methods, temporarily frozen funds previously loaded onto customers’ Chick-fil-A One accounts, and restored any affected account balances. The fast-food chain also recommended the best practice that customers reset their passwords, and use a password that is not easy to guess and unique to the website.

Some noted that while password reuse or the use of common and weak passwords is the fault of the users, Chick-fil-A still bears some responsibility.

"This is the new frontier of information security: Attackers have gained access to these users' accounts not through any failure on the part of the website owner, but rather due to the natural human tendency to reuse username/passwords across multiple sites," says Uriel Maimon, vice president of emerging products at PerimeterX. "And yet despite that fact, organizations have a legal and ethical obligation to safeguard the personal and financial information of their users."

He adds, "This underscores the change in paradigm wherein website owners need to not just protect their sites from standard cyberattacks but also safeguard the information they hold on behalf of users. They can achieve this by tracking behavioristic and forensics signals of users logging in in order to differentiate between real users and attackers.”

The chain offered some make goods, in case customers wanted to flee the coop after the incident: "As an additional way to say thank you for being a loyal Chick-fil-A customer, we have added rewards to your account," the statement continued. "Chick-fil-A continues to enhance its security, monitoring, and fraud controls as appropriate to minimize the risk of any similar incident in the future."

It was reported in January that Chick-fil-A had been investigating "suspicious activity" across potentially hacked customer accounts. It's unclear why it took so long to determine that the credential-stuffing event was underway. The company did not immediately respond to a request for comment from Dark Reading.

Credential Stuffing Attacks on the Rise

Credential stuffing has become more common lately, fueled by the legions of credentials for sale on the Dark Web. Indeed, the sale of stolen credentials dominate underground markets, with more than 775 million credentials currently for sale according to an analysis this week.

In January, nearly 35,000 PayPal user accounts fell victim to a credential-stuffing attack that exposed personal data likely to be used to fuel additional, follow-on attacks. That same month, Norton LifeLock alerted customers to their potential exposure from its own credential-stuffing attack.

The situation has also prompted a wider conversation. With nearly two-thirds of people reusing passwords to access various websites, some security experts have proposed approaches that do away with passwords altogether, including replacing them with security keys, biometrics, and FIDO (Fast Identity Online) technology.