Nando’s Customers Hit by Credential Stuffing Attacks

Nando’s Customers Hit by Credential Stuffing Attacks

Some customers of popular high street eatery Nando’s have been left hundreds of pounds poorer after cyber-attackers hijacked their online accounts to place large orders.





Reports in UK media revealed that multiple customers of the peri-peri chicken chain have had their accounts compromised. Due to COVID-19 restrictions, customers must now scan a QR code in store and order online to get their food.





However, that has left the door open to attackers trying previously breached log-ins from other sites to hijack their accounts, when those credentials are reused by the victims.





According to one report, a group of young people fraudulently placed two large orders in-store, after trying and failing several times to use hijacked accounts.





Nando’s said it would reimburse any customers scammed in this way, and promised to get better at spotting fraudulent account activity.





“We can confirm that while our systems have not been hacked, unfortunately some individual Nando customer accounts have been accessed by a party or parties using a technique called ‘credential-stuffing,’ whereby the customer's email address and password have been stolen from somewhere else and, if they use the same details with us, used to access their Nando’s accounts,” it added in a statement.





There were 64 billion such credential stuffing attempts between July 2018 and June 2020, in the retail, hospitality and travel sectors, according to Akamai data released last week.





Brian Higgins, security specialist at nando customers credential stuffing attacks