The personal information of more than 340,000 customers of popular restaurant chain Jason's Deli may have been victims of a credential stuffing attack, a scheme in which the hacker uses stolen or leaked credentials to log into other online accounts.
The company doesn't store or retain customer login credentials.
That said, the business is unsure how many accounts were breached through the credential stuffing attack, so it sent the notice to all account holders or rewards program members.
In a notice about the data breach sent to the state of Maine, they estimated 344,034 people could have been affected.
Among the personal information in an account that could have been stolen are customers' names, addresses, phone numbers, birthdays, order history, contact lists and the names and email addresses used for sending group orders, Deli Dollars points and available redeemable amounts and banked rewards, and truncated gift card and credit card numbers.
Jason's Deli is a sprawling business, with 250 locations spread over 28 states, mostly in the South and Midwest, though there are restaurants as far West as Las Vegas, up to Wisconsin in the North, and into Pennsylvania and Maryland.
Company officials said that once they learned about the intrusion, they began trying to identify affected accounts and requiring that account passwords be more complex.
They also said they will restore the Deli Dollars accounts balances for customers and urged people to change the passwords to their count to ones that are not easy to guess and are not used on other websites or accounts.
Credential stuffing attacks often take advantage of the habit of many people to reuse usernames and passwords for multiple online accounts, making the attack method a poster child for organizations that want to move away from passwords for user authentication.
IT giants like Google, Microsoft, and Google, as well as industry groups like the FIDO Alliance, are pushing to do away with passwords for authentication in favor of other options, such as passkeys.
They also advocate for tools like multifactor authentication in the meantime to add another lawyer to user verification.
People also can use password managers for creating and storing random passwords for websites and accounts.
According to VPN provider NordPass, the average person is juggling 100 passwords, and cybersecurity firm SpyCloud in a 2022 report found that 70% of people whose information was exposes in data breaches the year before reused passwords.
SpyCloud also reported 64% of Fortune 1000 employees reused passwords across multiple sites.
Having so many accounts and passwords to remember is difficult for individuals to manage.
Until people start to move away from reusing passwords for multiple accounts, situations like that with Jason's Deli will continue to happen, according to Omri Weinberg, co-founder and chief revenue office at SaaS security platform provider DoControl.
Joseph Carson, chief security scientist and advisory CISO at cybersecurity Delinea, said that as long as companies let user choose their passwords, attacks like credential stuffing will happen.
People should use a password vault, password manager, or a similar tool to ensure unique passwords for every account.
This Cyber News was published on securityboulevard.com. Publication date: Wed, 24 Jan 2024 21:43:04 +0000