American fast food chain Chick-fil-A has confirmed that customers’ accounts were breached in a months-long credential stuffing attack, allowing threat actors to use stored rewards balances and access personal information. In January, reporters stated that Chick-fil-A had begun investigating what it described as “suspicious activity” on customers’ accounts. At the time, Chick-fil-A set up a support page with information on what customers should do if they detect suspicious activity on their accounts. This warning came after reporters emailed Chick-fil-A before Christmas about reports of Chick-fil-A user accounts being stolen in credential-stuffing attacks and sold online. These accounts were sold for prices ranging from $2 to $200, depending on the rewards account balance and linked payment methods. One Telegram channel seen by reporters showed people purchasing these accounts and then sharing pictures of their purchases made through these accounts. On March 2^nd, 2023, Chick-fil-A confirmed the reports in a security notice submitted to the California Attorney General’s Office, stating that they suffered a credential stuffing attack between December 18th, 2022, and February 12th, 2023. The fast food chain is warning impacted customers that threat actors who accessed their account would have also had access to their personal information, including their name, email address, Chick-fil-A One membership number and mobile pay number, QR code, masked credit/debit card number, and the amount of Chick-fil-A credit (e.g., e-gift card balance) on your account (if any). For some customers, the information may have included birthdays, phone numbers, physical addresses, and the last four digits of credit cards.