Credential Stuffing at Chipotle Mexican Grill Inc.

Note: This article was first available to subscribers of Accounting Quality Insights by Audit Analytics on Bloomberg, Eikon, FactSet, and S&P Global. 


It was recently reported that customers of Chipotle Mexican Grill Inc. [CMG] were targeted by a cyber attack in which orders were placed through a victim’s Chipotle app account. A spokesperson for Chipotle said the company found no security issues and believed the breach may have been due to credential stuffing.

Credential stuffing is a method of using credentials (usernames/emails and passwords) that were exposed from one breach to access a separate account. For example, in 2018 Under Armour [UAA], through its MyFitnessPal app, exposed 150 million users’ emails, usernames and passwords. These exposed credentials could be used to access unrelated accounts if an individual reuses their credentials for different sites or apps.

Chipotle isn’t the only food app to be targeted by credential stuffing. DoorDash and Dunkin Donuts [DNKN] were targeted by similar attacks in September 2018 and February 2019, respectively.

Credential stuffing attacks are difficult for companies because the breach isn’t of the company’s systems, yet their customers are still harmed. This can create a negative perception of the company. This is especially true in Chipotle’s case, as they have been subject to two previous cybersecurity attacks; in 2017 Chipotle was targeted by malware and then in 2018 was targeted by a phishing attack.  

So, how much responsibility does Chipotle have for the credential stuffing breach?

In order to answer this question, we must see how other companies mitigate attacks like credential stuffing.

Some companies and industries are under persistent credential stuffing attack. For example, Intuit Inc. [INTU] has disclosed almost 30 similar breaches to the New Hampshire Department of Justice since 2015. But none of Intuit’s breaches affected more than ten New Hampshire residents, and Intuit appears to have discovered these breaches promptly.

Chipotle, however, was informed by customers via social media of the breach.

Companies can detect credential stuffing attacks by, among other methods, monitoring IP addresses to determine if an unusual number of log-in attempts originate from a single IP address, or monitoring unusually large amounts of traffic on the company’s app. Due to Chipotle becoming aware of the breach through social media reports, it does not appear Chipotle monitors their app for credential stuffing attacks.

Conversely, companies can implement security strategies to avoid credential stuffing attacks before they happen. One method is to implement multi-factor authentication. Multi-factor authentication is a second step to the log-in process that often requires a user to answer a personal question.

When asked by TechCrunch whether Chipotle plans to implement multi-factor authentication, a spokesperson did not answer.

While companies do not shoulder the entire blame of credential stuffing breaches, these breaches can still undermine consumer confidence. Chipotle may not be legally liable for the breach, but the lack of mitigating and detecting controls make their app a less safe alternative for consumer data, especially financial data.

For more information on this article or any of our datasets, please contact us by emailing info@auditanalytics.com or call 508-476-7007.