Diners at a popular chicken-dinner chain have seen hundreds of dollars siphoned out of their bank accounts, after cybercriminals were able to access their restaurant ordering credentials. The issue though is that payment-card information is not stored within Nando’s accounts, leaving some questions as to how the hacks occurred.
The Nando’s chain of Peri-Peri chicken eateries is a fixture on most main drags in U.K. and European cities, with dozens of locations in the U.S. as well. It confirmed a credential-stuffing attack on Friday.
Credential-stuffing is accomplished by hackers who take advantage of users who often reuse the same passwords across multiple online accounts. The cyberattackers use stolen passwords and usernames from previous data breaches to brute-force accounts on a wide scale, and when a match is found, they can take over the victim’s account.
Multiple Nando’s customers said their usernames and passwords were stolen and the accounts used to place high-volume orders, according to reports. The mobile numbers were also changed on the impacted accounts.
“We can confirm that while our systems have not been hacked, unfortunately some individual Nando customer accounts have been accessed by a party or parties using a technique called credential-stuffing, whereby the customer’s email address and password have been stolen from somewhere else and, if they use the same details with us, used to access their Nando’s accounts,” Nando’s said in a press statement. “We take immediate action to refund anyone who has been impacted and secure those affected Nando’s accounts.”
It added, “We have made and are continuing to make investments to improve our detection and prevention of suspicious and malicious activity. We apologize to our customers who have been impacted by this.”
Because of COVID-19, Nando’s customers must place an order online or by using a QR code. They’re then prompted for their payment details, but customers said that those details aren’t stored in the account.
“We quite quickly received a refund after complaining on Twitter, however we’re yet to receive any explanation as to how the attack happened,” one U.K. victim told the Daily Mirror.
The sums were not insignificant – one woman received an email confirmation for two orders totaling around $150 (£114.50) that she had never placed. After checking her banking app and confirming that the money was taken out, she talked to the manager at the store, located in the Kensington neighborhood of greater London.
“We eventually found the telephone number for the Kensington High Street branch and after a while managed to talk to the manager who confirmed that there were a group of young people who’d placed the same orders in store,” she told the Mirror. “They said they’d had numerous attempts blocked while trying to purchase further orders. They’d just left the branch with all the food from the original two orders. He said he had CCTV and we had to contact head office to obtain a refund.”
Other victims told U.K. media outlets that they were robbed of even more – one man was robbed of about $870 (£670).
Threatpost has reached out to Nando’s for more information on how the fraudsters were able to access payment-card details.
Between July 2018 and June of this year, there were more than 100 billion credential-stuffing attacks in total, according to a recent Akamai report. In the commerce category specifically – comprising the retail, travel, and hospitality industries – there were 64 billion recorded. More than 90 percent of those attacks targeted the retail industry, which includes fast-food chains like Nando’s.