Cyber Incident Victim: Chipotle Mexican Grill

In April 2019, Chipotle customers began reporting unauthorized access to their accounts, resulting in fraudulent orders charged to their credit cards. Complaints surfaced on Reddit threads and Twitter, with victims describing orders placed through their accounts and delivered to addresses outside their states, sometimes costing hundreds of dollars. Chipotle spokesperson Laurie Schalow attributed the incidents to credential stuffing, where attackers used credentials compromised in other breaches to gain access to Chipotle accounts. However, multiple customers contradicted this explanation, stating they had used unique passwords for Chipotle or had placed orders via guest checkout without creating accounts. When questioned about these cases, Schalow maintained the company was monitoring account security issues but reiterated there was no evidence of a breach compromising customer data. Chipotle declined to comment on implementing two-factor authentication as a preventive measure, citing a policy against discussing security strategies.

The incident echoed similar complaints against DoorDash in 2018, where credential stuffing was also cited despite users reporting unique passwords. Chipotle’s response drew attention to its 2017 data breach, which involved malware infecting point-of-sale systems across its 2,250 restaurants, compromising payment card data from millions of customers. That breach was linked to the FIN7 hacking group, with three suspects charged in August 2018. The 2019 account compromises raised concerns about persistent vulnerabilities, though Chipotle consistently denied any new breach of its systems. The company’s reliance on credential stuffing as the sole explanation faced scrutiny due to inconsistencies in customer reports, particularly regarding unique passwords and guest checkout incidents. No further technical details about the 2019 event or specific mitigation steps were disclosed by Chipotle beyond its public statements.