Chick-fil-A investigates reports of hacked customer accounts

American fast-food restaurant chain Chick-fil-A is investigating what it described as "suspicious activity" linked to some of its customers' accounts.

"We are investigating suspicious activity on some customer accounts. We are committed to protecting customers’ data and are working quickly to resolve the issue," the company said in an alert displayed on its official website on Friday and first spotted by security researcher Dominic Alvieri.

"While we are still investigating what happened and how certain customers became subject to this fraudulent activity, this is not due to a compromise of Chick-fill-A Inc.'s internal systems," the company added in a Twitter statement.

A support page on Chick-fil-A's One Membership Program customer support website provides potentially affected clients with details on what to do if they notice unusual activity on their accounts, if they see any mobile orders placed without their approval, or if they're loyalty points were used to redeem or gift rewards fraudulently.

In the event that they observe anything unusual, customers are advised to immediately change their passwords to new ones that unique, complex, and not used on other online platforms or accounts.

They should also remove any stored payment methods, such as credit or debit cards, from their Chick-fil-A One accounts by going into the Chick-fil-A app, into the Account menu and clicking "Manage payment methods."

Details on what to do if their Chick-fil-A One accounts were used to place mobile orders without their knowledge are available here.

Hacked Chick-fil-A accounts sold online

Today's warning comes after BleepingComputer emailed the company before Christmas regarding reports that Chick-fil-A user accounts were being breached in credential-stuffing attacks.

While we are yet to receive a reply, a threat intelligence researcher had told BleepingComputer at the time that the hijacked accounts are used with disposable email addresses to buy food in widespread attacks (a tactic Chick-fil-A customers were warned about today).

Some of the stolen accounts are being sold for $2 to $200, depending on the account balance, linked payment method, or Chick-fil-A One points (rewards points) balance.

Social networks have also been flooded with customer reports [1, 2, 3, 4, 5, 6] saying their accounts have been hacked and emptied of loyalty points.

Chick-Fil-A has since disabled the creation of new accounts and banned the use of disposable email addresses, requiring threat actors to use legitimate email services for hijacking accounts.

A Chick-fil-A spokesperson was not immediately available for comment when contacted by BleepingComputer again earlier today.

Update: Added Chick-fil-A Twitter statement.