Chipotle Customers Cry Data Breach

Press enter to search
Close search
Open Menu
Fast-casual brand says no breach, that credential stuffing is to blame for fraudulent charges.

Chipotle Customers Cry Data Breach

By Anna Wolfe - 04/21/2019

A number of customers of Chipotle are claiming their accounts have been hacked and they've been charged for orders at other locations in other states.

Customers are taking to Twitter to air their grievances with @ChipotleTweets and posting their stories on Reddit.

In most cases, orders were put through under a victim’s account and delivered to addresses often not even in the victim’s states, according to reports.

TechCrunch reports that some customers say they used their Chipotle account password on other sites; Chipotle said that credential stuffing, where hackers take lists of usernames and passwords from other breached sites, was to blame.  Yet, according to the article, some customers have come forward to say their cards have been charged and they were using a unique password and logon exclusive to Chipotle’s online ordering platform. 

Whether Chipotle plans to add two-factor authentication remains to be seen; the brand declined to comment on “security matters,” according to reports.   

"We continue to monitor any possible security issues and we are constantly investing in security measures to protect our customers," Chipotle said in a statement to Newsweek.