My brother sat in front of me, holding his weary head in his hands. “My points,” he moaned. “They’re gone.” He was referring to his hard-earned Chipotle rewards points, racked up over the course of months and gone in an instant when a random hacker locked him out of his Chipotle rewards app. He’s not alone: Chipotle customers have taken to Reddit en masse to complain about account lockouts and credit card fraud via the fast food chain’s app. I reached out to a Chipotle spokesperson to ask: What do I do if my Chipotle account gets hacked?
Ordering food via the Chipotle app requires a credit card on file, which means anyone with access to your account can use your card to order Chipotle. If you notice unusual Chipotle charges on your credit card statement, call your bank or credit card company to freeze your card and report the fraud immediately. Once again: Start with your bank, not with the Chipotle customer service team.
Side note: Most of these fraud cases aren’t the result of actual “hacking.” They’re most often the result of huge data breaches during which usernames and passwords are sold for a tidy fee. If you suspect your account has been involved in a data breach, visit Have I Been Pwned to find out. If your email or phone number comes up as a data breach casualty, change your passwords immediately.
Once you’ve contacted your credit card company, reach out to Chipotle to see if you can retrieve your precious, precious rewards points. I checked with a Chipotle spokesperson, who told me the following over email:
“The privacy and security of our customer information is very important to us. We are among the many retail, hotel and restaurant companies affected by credential stuffing, in which combinations of user names and passwords are accessed by third parties and used on websites of different companies to see if they can gain access.”
The Chipotle rep also recommended that fraud victims reach out to Chipotle at chipotle.com/contact-us. In my brother’s experience, reaching out online is a lot faster and more productive than calling the customer service hotline. He noted that the fraud department had promised to give him a call, but he hadn’t heard back.
My best advice? Be persistent, and don’t give up hope. If the hacker changes the email associated with the account and locks you out, a Chipotle service rep should be able to transfer your hard-earned rewards points to a new account. Worst-case scenario, you could open a new account and start fresh. It’s an excuse to eat more burritos, if anything.