Fans of the popular Nando’s UK eateries have fallen prey to a credential stuffing attack that drained hundreds of pounds sterling out of their bank accounts.
According to several UK media outlets, cybercriminals hijacked multiple customer accounts of the Peri-Peri chicken restaurant chain. They then placed large food orders after changing their corresponding phone numbers.
While some orders do not exceed £60, one customer said she lost £670 in fraudulent meal purchases.
The restaurant chain has acknowledged the attack, saying its systems have not been compromised in any way.
“While our systems have not been hacked, unfortunately some individual Nando customer accounts have been accessed by a party or parties using a technique called ‘credential-stuffing,’ whereby the customer’s email address and password have been stolen from somewhere else and, if they use the same details with us, used to access their Nando’s accounts,” the company said.
According to one report, a group of young individuals placed two massive in-store orders after initially failing to use compromised accounts to finalize their purchase.
“My card was compromised and used in your Finsbury Park location in London, whereas I am in Leeds. It looks like my Nando’s account was compromised to make this payment/ charge. Can you help!?” one customer tweeted.
“Can you explain to me how my Nando’s account has been hacked? Currently in lockdown in Wales with my bank card in my hand … but apparently ordering a sit down meal in Croydon.. Little help?” another customer added.
With Covid-19 restrictions across the country, Nando’s diners must place their orders online or use a QR code and then fill in their payment details. However, most customers claimed that their payment details were not stored in their customer account.
The restaurant chain said it will reimburse victims and improve its ability to detect fraud and malicious activity.
“We take immediate action to refund anyone who has been impacted and secure those affected Nando’s accounts,” Nando’s added. “We have made and are continuing to make investments to improve our detection and prevention of suspicious and malicious activity. We apologise to our customers who have been impacted by this.”