Jason’s Deli says customer data exposed in credential stuffing attack


Jason’s Deli is warning of a data breach in notifications sent to customers of its online platform stating that their personal data was exposed in credential stuffing attacks.

Jason’s Deli is an American restaurant chain with 246 branches in 29 states, employing over 6,000 people and having an annual revenue of over $400 million.

In a data breach notification sent to customers, Jason’s Deli says hackers obtained credentials of member accounts at Jason’s Deli from other sources and, on December 21, 2023, used them in a credential stuffing attack against the restaurant’s website.

“On December 21, 2023, we learned that an unauthorized party had obtained an unknown number of Deli Dollar and online account login credentials (usernames and passwords) most likely from other data breaches or other sources not involving Jason’s Deli,” reads the notice.

“These unauthorized parties apparently used these login credentials to determine if they matched those of our reward and online accounts.”

The effectiveness of this attack depends on whether the impacted users have set the same credentials across multiple online services and platforms, aka “password recycling,” making their account susceptible to hijacking. Furthermore, these types of attacks can be mitigated through IP address rate-limiting.

The amount of data exposed in these credential stuffing attacks depends on the type of information a Jason’s Deli member has added to their online profiles and may include the following:

  • Full name
  • Address (including all saved delivery addresses)
  • Phone number
  • Birthday
  • Preferred Jason’s Deli location
  • House account number
  • Deli Dollar points
  • Redeemable amounts and rewards
  • Truncated credit card numbers (only the last four digits are visible)
  • Truncated gift card numbers

Jason’s Deli says it detected those attempts for unauthorized access but cannot determine how many accounts have been impacted.

“We do not know the number of accounts that the unauthorized party was able to access, but out of an abundance of caution, we are sending this notice to all potentially affected account holders,” reads the data breach notification from Jason’s Deli.

According to a listing at the Office of the Maine Attorney General, the total number of potentially impacted customers is 344,034 people.

People confirmed as impacted will receive a password reset prompt urging them to choose a new, complex password.

If you are among them, note that you should also change your passwords on all online platforms where you might be using the same credentials and enable two-factor authentication (2FA) where available.

The company also said that, where applicable, Deli Dollars reward points used without authorization from breached accounts would be restored so customers would not experience losses.



Source link