As per the data breach notification filed by the company with Maine’s attorney general office, hackers gained access to customers’ usernames and passwords, along with other sensitive data.
Popular American fast-casual restaurant chain Jason’s Deli has been hit by a data breach, exposing the personal information of millions of customers. The incident, a credential stuffing attack, occurred in December 2023 and affected approximately 344,000 users.
It is worth noting that hackers employed the same attack technique during the 23andME data breach, a DNA testing service. The company, however, shifted the blame onto the victims, loosely arguing that the breach could have been prevented if the affected individuals had not used the same password on other accounts.
Credential Stuffing Attack
As per the data breach notification filed by the company with Maine’s attorney general office, the incident was identified and took place on 21 December 2023. During the attack, hackers gained unauthorized access to Deli Dollar and online account login credentials of approximately 344,000 users.
The attackers used a technique known as credential stuffing, which involves taking usernames and passwords stolen from other data breaches and trying them on different websites.
When it comes to login credentials, hackers were able to access customers’ usernames and passwords. Other potentially exposed data includes the following:
- Names
- date of birth
- Contact Lists
- Order history
- phone numbers
- email addresses
- Deli Dollars points
- House account number
- Preferred Jason’s Deli location
- Redeemable amounts and banked rewards
- Truncated gift card and credit card numbers.
However, the company maintains that the attackers would likely have had limited access, unable to view your complete payment or gift card number—possibly only the last four digits.
Jason’s Deli has apologized for the data breach and assured customers that they are taking steps to improve their cybersecurity. The company has stated that they are conducting a review of its security protocols and implementing additional safeguards to prevent future attacks.
For insights into the data breach, we reached out to Lionel Litty, Chief Security Architect at Menlo Security who emphasised that companies must implement Multi-Factor Authentication on customers’ accounts.
“While Multi-Factor Authentication (MFA) is crucial for password reuse and credential stuffing, not all MFA solutions offer equal protection but to truly get the full value from MFA and ensure comprehensive protection, organizations must invest in phishing-resistant MFA,” Litty explained.
“By doing so, they not only mitigate the risks associated with password compromise but also elevate their overall cybersecurity posture. Remember, the technology you use matters and will produce better outcomes,” he said.
Impact on Customers
The data breaches at Jason’s Deli have raised concerns about the security of customer information and the potential for identity theft. Customers whose information was exposed in the credential stuffing attack are at risk of having their online accounts hacked.
Jason’s Deli has advised customers to monitor their financial statements for any unauthorized activity and to report any suspicious charges to their bank or credit card company. The company has also provided information on how to protect themselves from identity theft.
Hackread.com’s Recommendations for Customers
If you are a Jason’s Deli customer, it is important to take steps to protect your personal information. Here are a few recommendations:
- Monitor your financial statements for any unauthorized activity.
- Report any suspicious charges to your bank or credit card company.
- Be cautious about clicking on links or opening attachments in emails from unknown senders.
- Use strong passwords and enable two-factor authentication on your online accounts.
- Change your password for your Jason’s Deli online account and any other accounts where you use the same password.
The data breaches at Jason’s Deli serve as a reminder of the importance of protecting our personal information. By taking steps to be more vigilant and security-conscious, we can help reduce the risk of becoming a victim of identity theft or other cybercrime.