As app-based ordering goes, Chipotle has been ahead of the curve for a while now. The fast-burrito chain’s app allows you to order your meal, pay for it upfront, and pick it up without ever having to wait in one of Chipotle’s occasionally mile-long lines, or even interact with a human being if you aren’t in the mood. The trade-off, as always, is that it requires leaving sensitive credit card information sitting on your phone, waiting to be stolen. And as if their major 2017 data breach wasn’t bad enough, it looks like Chipotle may have been hoodwinked by hackers yet again.
TechCrunch reports that users have been flocking to Reddit and Twitter to complain of another rash of fraudulent activity. Also, the issues seem to date back to the beginning of April, which is... not great. Most of the complaints so far suggest a similar pattern of behavior: passwords being changed, strange charges appearing on bank statements, and expensive meals being ordered in other parts of the country.
In reply to TechCrunch, spokesperson Laurie Schalow said that the company is “monitoring any possible account security issues of which we’re made aware and continue to have no indication of a breach of private data of our customers.” Instead, Schalow points to “credential stuffing” as a culprit, in which hackers “take lists of usernames and passwords from other breached sites and brute-force their way into other accounts.” However, some of the users affected said that they used different passwords for their Chipotle logins.
Normally, you’re supposed to update passwords every few months. Most people do not do this, and The Takeout recognizes this fact. But as smartphones continue to mandate that more and more personal data also exists online, it might be worth getting into the habit, before somebody on the opposite coast orders $78 in chips and guac on your dime.
As of this publication, Chipotle has not issued a formal statement on the account breaches.