Business

Was My Chipotle Account Hacked? Who Should I Contact? Amid Complaints, Burrito Company Says It Sees No Sign of Data Breach

Users of Chipotle's mobile ordering app claim their accounts have been compromised, allowing others to use the hacked accounts to order and pay for deliveries from the popular burrito chain. However, the company says it sees no evidence of any data breach.

TechCrunch recently pointed to a number of Reddit and Twitter threads all containing a similar complaint: That a growing number of Chipotle customers were not exactly thrilled to learn that someone else had placed a delivery order using their account at the restaurant chain.

"I and a friend both had our chipotle accounts compromised recently including charges to our stored credit cards," wrote one Reddit user last week, noting that there were numerous others who had experienced something similar.

A Reddit user from Arizona wrote earlier this year that they had woken up to an alert that their account had been used to make a purchase two states and several hundred miles away in Houston, Texas.

Perhaps the most interesting story is from another customer who says their Chipotle account was used by someone in Texas. In this lengthy saga, the legitimate account holder details in depth their efforts to identify and track down the "Burrito Bandit," who the customer says was a high school student. The customer not only got an apology from the bandit, who claimed it was his brother who hacked the account, but also from the assistant principal at the teen's school. Chipotle rewarded the customer's efforts with some free food, a T-shirt and some other swag.

These are just a very small number of dozens of people who have complained online about misuse of their Chipotle accounts, so is there an actual data breach at the fast casual chain?

"We have no indication of any breach of Chipotle’s databases or systems," a rep for Chipotle told Newsweek when contacted on Thursday for comment.

If there is no network breach, how are all these accounts being compromised. It may, as Chipotle itself suggested, be a combination of the app's popularity and what's known as "credential stuffing."

Credential stuffing refers to a hacking practice wherein people take login information stolen from previous data breaches and then try to use those same credentials on as many accounts as possible to see if they will work. In other words, it's like being given a key that may work on only 1-in-1,000 doors, so you go around trying that key on every door you can in the hope you'll get lucky. So if a Chipotle app user has their login information stolen from another site and they use those same credentials at Chipotle, they could be leaving their door open to burrito bandits everywhere.

"We are among the many retail, hotel and restaurant companies affected by credential stuffing," the Chipotle spokesperson told Newsweek.

What should you do if your Chipotle account has been compromised?

"If a customer is ever concerned about information security, they should contact our customer support team at CustomerServiceTeam@chipotle.com," said the company rep.

chipotle A Chipotle Mexican Grill logo is seen on a store entrance in New York City on November 23, 2015. Andrew Kelly/Reuters

As TechCrunch and Wired have pointed out, credential stuffing is an increasingly problematic issue, both because of the frequency of data breaches and the ubiquity of apps. 

One way for companies to reduce the possibility of their customers' app accounts from being misused in this way is to require — or at least allow — two-factor authentication on purchases. That means that the burrito bandit would not be able to place the order without also having access to the customer's device. The Chipotle rep declined to discuss security matters when asked by TechCrunch about adding two-factor.

"We continue to monitor any possible security issues and we are constantly investing in security measures to protect our customers," Chipotle said in a statement to Newsweek.

There are things you can do to minimize the likelihood of being a victim of credential stuffing. Two of the easiest are:

1. Make sure you use different login credentials on each app. Using the same login on even just two apps or websites significantly increases your chance of being a victim of credential stuffing. While some might complain about having to make sure their passwords are all different, they won't regret it the next time they read one of these stories and see they were not affected.

2. Change your passwords frequently. Some of the credentials that stuffers use in these sort of attacks are months, maybe even years, old. If you change your passwords — particularly on any accounts or apps that have linked payment methods — any old stolen credentials will be worthless.

You may also want to consider not linking your credit or debit card to every account you have. While your card providers have strong protections against fraudulent transactions, refunding illegal purchases that are reported in a timely manner, you may not want to have to deal with the hassle of having to call your bank and report the fraud. If so, then the few seconds of having to enter your card number each time you pay may be worth it.

Join the Discussion

Editor's Pick