Recently, fellow technology publication TechCrunch reported on a potential security event at Chipotle, the Mexican fast-food provider. According to the article, Chipotle application consumers complained of fraudulent charges to their accounts via social media and online forums.
This story is ongoing; it isn’t clear whether Chipotle suffered any kind of widespread breach. Possibly, the complaining consumers suffered from individual account compromises.
However, this cybersecurity story can provide unique insights into the potential dangers of a credential stuffing attack or password security failure. Additionally, it can demonstrate the importance of customer identity and access management (CIAM)
Chipotle and Credential Stuffing
In a statement to TechCrunch, Chipotle spokesperson Laurie Schalow emphasized the enterprise’s cybersecurity efforts; these include “monitoring any possible account security issues of which we’re made aware and [continuing] to have no indication of a breach of private data of our customers.” Interestingly, Ms. Schalow did indicate the company suspected credential stuffing attacks as the behind the fraudulent charges.
In a credential stuffing attack, hackers exploit lists of usernames and passwords from previous breaches and keep trying different combinations. Essentially, they keep inputting passwords until they brute-force their way into the network.
Usually, credential stuffing attacks succeed against single-factor authentication schemes. Implementing a two-factor or multifactor authentication scheme prevents almost all credential stuffing attacks.
The Experts on Credential Stuffing
We reached out to a few cybersecurity experts to give their takes on the possible Chipotle security events and what enterprises can learn from them:
Byron Rashed, VP of Marketing, Centripetal Networks:
“This could be a case of credential stuffing. Many cybercriminals and cyber gangs use algorithmic and other automation to access sites with compromised credentials from other breaches. If it’s true that some victims claim the password is unique to Chipotle, then it’s quite possible they suffered a breach. However, it is also quite possible that the unique passwords associated with their Chipotle accounts could have been derived through password cracking automation by the threat actor since they would have had their email (username).”
“Many passwords associate people, places, etc. in one’s life. Threat actors will also leverage a victim’s social media presence to ‘guess’ passwords that can contain a spouse, child or pet’s name that is easy to remember with some basic characters such as ‘dog’s name 123,’ or something similar where automation can produce a myriad of possible passwords.”
Adam Laub, SVP Product Management, STEALTHbits Technologies:
“While password reuse across sites is what makes credential stuffing attacks so successful, credential stuffing isn’t the only weapon in an attacker’s arsenal. The use of weak, default, or stolen passwords period is enough to make an account vulnerable, especially with alternative techniques like Password Spraying. With Password Spraying, an attacker can try a small number of highly common passwords against large numbers of accounts while also staying below lockout thresholds, compromising accounts without any elevated privileges and likely without detection.”
“With so little information, it’s hard to say for sure if additional techniques are in play, but the point is that just like there’s more than one way to build your burrito bowl, there’s (way) more than one way to compromise your account.”
Josh Davis, Director of Channels at Circadence:
“If credential stuffing is to blame for Chipotle account breaches, rolling out two-factor authentication could help — and, put an additional barrier between a hacker and a victim’s account. Especially when tied to a credit card.”
“But when asked if Chipotle has plans to roll out two-factor authentication to protect its customers going forward, spokesperson Schalow declined to comment. ‘We don’t discuss our security strategies.’”
Stephen Cox, Chief Security Architect of SecureAuth:
“Credential stuffing [constitutes] the process of acquiring a cache of previously stolen credentials and using them, often in an automated fashion, to gain unauthorized access to a resource. It is a popular technique for attackers looking to break into both consumer and enterprise accounts because people often reuse passwords across multiple accounts.”
“This swell of consumer account breaches is unfortunately common today and is evidence that our continued reliance on passwords is not sustainable and ultimately fails users. Decades of experience shows us that the password is an archaic method of authentication, often not under the control of the user, and simply isn’t enough to satisfy today’s threat landscape. The reality is that people will continue to reuse passwords across multiple resources, allowing stolen credentials to have far-reaching consequences like Chipotle customers are experiencing.”
Chipotle and CIAM
For retailers or consumer-facing enterprises, Chipotle’s cybersecurity story shows the importance of customer identity and access management (CIAM). CIAM allows enterprises to enact multifactor authentication and risk adaptive authentication without impacting the user experience.
Relevantly for this case, it also provides password reset self-service. This encourages users to use unique passwords without fear of forgetting or losing them.
As a general rule, your users should outright avoid reusing passwords and should use the most secure passwords available. Additionally, you should implement multifactor authentication as soon as possible and if possible deploy password standards encouraging full phrases.