Cyber Incident Victim: Chick-fil-A
Date:
Dec 2022
Location:
United States of America
Summary
Chick-fil-A experienced a credential stuffing attack where unauthorized actors used credentials sourced from third-party breaches to access customer accounts via its website and mobile application over several months. The compromise affected 71,473 accounts, potentially exposing names, email addresses, membership details, masked payment card information, account balances, and—for some users—partial birthdays, phone numbers, and addresses. The company responded by forcing password resets, removing stored payment methods, freezing and later restoring account funds, adding compensatory rewards, and engaging forensic experts to bolster security controls against future incidents.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Chick-fil-A identified suspicious login activity targeting Chick-fil-A One accounts, prompting an immediate investigation with a national forensics firm that began in December 2022. The company determined unauthorized parties conducted an automated credential stuffing attack against its website and mobile application between December 18, 2022, and February 12, 2023, using account credentials obtained from third-party sources unrelated to Chick-fil-A. This sustained attack compromised 71,473 customer accounts, as confirmed in Attorney General filings. Threat actors accessed accounts to exploit stored rewards balances and personal information, with evidence showing stolen accounts were subsequently sold on platforms like Telegram for $2 to $200 based on account balances and linked payment methods. Chick-fil-A discovered the breach through internal monitoring of suspicious activity, with external reports emerging before Christmas 2022 when BleepingComputer alerted the company about accounts being traded online. The attackers specifically targeted Chick-fil-A One membership functionalities, including mobile payment systems and reward balances. On February 12, 2023, Chick-fil-A confirmed unauthorized access to customer accounts had occurred during the attack window. The company notified affected customers via mailed letters dated March 2, 2023, detailing the incident's scope and potential impacts.
Compromised information included names, email addresses, Chick-fil-A One membership numbers, mobile pay numbers, QR codes, masked credit/debit card numbers (showing only last four digits), and any stored account credits like e-gift card balances. For customers who had additional details saved in their profiles, attackers potentially accessed birth dates (month/day only), phone numbers, and physical addresses. In response, Chick-fil-A forced password resets for all affected accounts, removed stored payment methods, temporarily froze funds loaded into accounts, and later restored account balances—sometimes issuing refunds to original payment methods. The company added complimentary rewards to impacted accounts as compensation and implemented enhanced security, monitoring, and fraud controls to prevent recurrence. No evidence suggested misuse of personal information beyond the observed account takeovers and fraudulent purchases. Chick-fil-A attributed the breach to credential reuse, emphasizing that attackers leveraged passwords exposed in unrelated third-party breaches. The incident exposed vulnerabilities in customer password practices rather than direct system compromises at Chick-fil-A, though the prolonged attack duration indicated sustained exploitation of these reused credentials.