Nando’s Customers Targeted With Credential Stuffing Attacks

Reports in UK media revealed that multiple customers of Nando’s have had their accounts compromised. Due to COVID-19 restrictions, customers must now scan a QR code in store and order online to get their food.

However, that has left the door open to attackers trying previously breached log-ins from other sites to hijack their accounts, when those credentials are reused by the victims.

According to one report, a group of young people fraudulently placed two large orders in-store, after trying and failing several times to use hijacked accounts.

Nando’s said it would reimburse any customers scammed in this way, and promised to get better at spotting fraudulent account activity.

“We can confirm that while our systems have not been hacked, unfortunately some individual Nando customer accounts have been accessed by a party or parties using a technique called ‘credential-stuffing,’ whereby the customer's email address and password have been stolen from somewhere else and, if they use the same details with us, used to access their Nando’s accounts,” it added in a statement.

There were 64 billion such credential stuffing attempts between July 2018 and June 2020, in the retail, hospitality and travel sectors, according to Akamai data released last week.

Brian Higgins, security specialist at Comparitech, argued that this kind of fraud has become more common during the pandemic as hospitality venues implement online ordering platforms to help protect staff and customers.

“The security of these platforms is always going to be questionable and it is absolutely vital that customers take their own security measures seriously. Never use the same password for more than one application, whether it’s your bank account, your Facebook page, your Deliveroo account or anything else,” he continued.

“If attackers, as in this case, can steal the password to one app, they will have access to them all. Password management is a pain but feeding someone else’s friends at Nando’s is worse."


Source: InfoSecurity