Home Data Breaches A meaty credential stuffing story: Nando’s sees breached accounts

A meaty credential stuffing story: Nando’s sees breached accounts

October 28, 2020

EXECUTIVE SUMMARY:

The chicken dinner chain Nando’s is so highly regarded that celebrities, like Oprah Winfrey, and urban pop-artists, like Jay-Z, frequent the restaurants.

The business’s selling point:

Each piece of chicken is marinated in a spicy peri-peri (chili) sauce for a full 24 hours prior to grill time. The chain favors chilis grown in Mozambique, which retain a unique flavor. To cook the chicken, chefs use a recipe based on a Portuguese Galinha a Africana barbeque technique. The menu is simple and the plates are delicious.

Originally a South African enterprise, Nando’s still commissions original South African art to decorate its restaurant interiors. And lively African or Latin music is always emanating from the speakers.

Fowl play: Nando’s confirms a credential stuffing attack

Customers who frequented Nando’s reported that cyber attackers managed to hack into their accounts. Unauthorized high-volume purchases were made.

“We can confirm that while our systems have not been hacked, unfortunately some individual Nando customer accounts have been accessed by a party or parties using a technique called credential-stuffing, whereby the customer’s email address and password have been stolen from somewhere else and, if they use the same details with us, used to access their Nando’s accounts,” wrote Nando’s in a statement to the press.

The business has pledged to immediately resolve any account issues for affected customers, and the chain writes of plans to “improve our detection and prevention of suspicious and malicious activity”.

Why did the credential stuffing breach occur?

To streamline processes and reduce human interactions amidst the coronavirus pandemic, the chicken chain uses QR codes in stores and for online orders. The configuration of these systems led a group of young people to try out credential stuffing and account hacking. They were caught on CCTV cameras picking up the fraudulently ordered food.

How many breached accounts were there?

The precise figure has not yet been released.

Across the past several years, more than 100 billion credential stuffing attacks have unfolded around the world. Of those attacks, 64 billion have targeted the retail, travel and hospitality industries. Over 90% of such attacks have hit retailers, including restaurants like Nando’s.

The credential theft attack really ruffled feathers:

In the UK, one resident lost £670, which is quite a few pounds for a few pounds of poultry. And a single mother of three stated that one of her daughters lost £114.50 due to the attack.

For more on this fresh story, visit Threatpost.