Customers at a popular chicken-dinner chain have seen 100s of pounds taken out of their bank accounts, after cyber-criminals were able to access their restaurant ordering credentials. The issue though is that payment-card information is not stored within Nando’s accounts, leaving some questions as to how the hacks occurred
Many chicken diners said their usernames & passwords were stolen & the accounts used to place high-volume orders.
The Nando’s chain of Peri-Peri chicken eateries is a feature on most main shopping precincts in UK & European cities, with dozens of locations in the US as well. It confirmed a credential-stuffing attack on Fri.
Usernames & Passwords
Credential-stuffing is accomplished by hackers who take advantage of users who often reuse the same passwords across multiple online accounts.
The cyber-attackers use stolen passwords & usernames from previous data breaches to brute-force accounts on a wide scale, & when a match is found, they can take over the victim’s account.
Multiple Nando’s customers said their usernames & passwords were stolen & the accounts used to place high-volume orders, according to reports. The mobile numbers were also changed on the impacted accounts.
“We can confirm that while our systems have not been hacked, unfortunately some individual Nando customer accounts have been accessed by a party or parties using a technique called credential-stuffing, whereby the customer’s email address & password have been stolen from somewhere else &, if they use the same details with us, used to access their Nando’s accounts,” Nando’s commented in a press statement.
Improve our Detection
“We take immediate action to refund anyone who has been impacted & secure those affected Nando’s accounts.”
They added, “We have made & are continuing to make investments to improve our detection & prevention of suspicious & malicious activity. We apologise to our customers who have been impacted by this.”
Because of COVID-19, Nando’s customers must place an order online, or by using a QR code. They have then prompted for their payment details, but customers said that those details are not stored in the account.
“We quite quickly received a refund after complaining on Twitter, however we’re yet to receive any explanation as to how the attack happened,” 1 victim told the Daily Mirror.
The sums were significant – one woman received an email confirmation for 2 orders totalling around £114.50 that she had never placed. After checking her banking app & confirming that the money was taken out, she talked to the manager at the store, located in the Kensington area of Greater London.
Kensington High St.
“We eventually found the telephone number for the Kensington High St. branch & after a while managed to talk to the manager who confirmed that there were a group of young people who’d placed the same orders in store,” she told the Mirror.
“They said they’d had numerous attempts blocked while trying to purchase further orders. They had just left the branch with all the food from the original 2 orders. He said he had CCTV & we had to contact head office to obtain a refund.”
Other victims told media outlets that they were robbed of even more, & one man was robbed of about £670.
Between July 2018 & June 2020 there were more than 100 billion credential-stuffing attacks in total, according to a recent Akamai report. In the commerce category specifically – comprising the retail, travel, hospitality industries – there were 64 billion recorded. More than 90% of those attacks targeted the retail industry, which includes fast-food chains like Nando’s.