History may be repeating for Chipotle Mexican Grill Inc. as customers claim their accounts have been hacked, with fraudulent orders charged to their credit cards.

First reported Wednesday by TechCrunch, the details of what has happened is not clear but may have involved credential stuffing, a type of cyberattack in which previously stolen credentials are used to make purchases. Chipotle had suffered from a hack that involved credit card-stealing malware on its retail network in April 2017.

According to threads on Reddit and Twitter, some Chipotle customers have reported that up to $300 has been charged to their credit cards for purchases from Chipotle outlets hundreds of miles from where they’re physically located.

“My account was hacked, someone ordered $42 worth of food, and used my saved credit card info to pay for it,” one customer said in a tweet to Chipotle on Twitter. “I reached out to the store and have contacted you via your website with no response. Can I get some help getting a refund?”

Chipotle has denied being hacked, saying that it was “monitoring any possible account security issues of which we’re made aware and continue to have no indication of a breach of private data of our customers.”

Stephen Cox, chief security architect of SecureAuth Corp., explained to SiliconANGLE that credential stuffing is the process of acquiring a cache of previously stolen credentials and using them, often in an automated fashion, to gain unauthorized access to a resource.

“It is a popular technique for attackers looking to break into both consumer and enterprise accounts because people often reuse passwords across multiple accounts,” Cox said. “This swell of consumer account breaches is unfortunately common today and is evidence that our continued reliance on passwords is not sustainable and ultimately fails users. Decades of experience shows us that the password is an archaic method of authentication, often not under the control of the user, and simply isn’t enough to satisfy today’s threat landscape.”

The reality, he added, is that people will continue to reuse passwords across multiple resources, allowing stolen credentials to be used as they apparently have for defrauding Chipotle customers.

Photo: Miosotis Jade/Wikimedia Commons