Jason’s Deli breach exposes almost 350K users


The popular US fast food chain Jason’s Deli experienced a credential stuffing attack that exposed the data of 344,000 individuals.

On December 21st, the fast food chain identified a data incident that is said to have exposed Deli Dollar and online account login credentials (usernames and passwords).

ADVERTISEMENT

The company hypothesizes that the unauthorized party accessed these details from other data breaches or sources unrelated to Jason’s Deli.

The breach information shows that 344,000 people were affected by the data breach, and the data exfiltration method used by adversaries was credential stuffing.

Credential stuffing exploits the recycling of usernames and password combinations often used by individuals across separate accounts.

Adversaries obtain these credentials and then use them across other sites to access other accounts.

“If you utilized the same user name and password combination to open your Jason’s Deli account that was used on another website or account with a company that may have been compromised in the past, this would theoretically allow them access to your Jason’s Deli account,” the breach notice reads.

Information that may have been acquired during the attack:

  • Name or other personal identifier
  • Address (including all saved delivery addresses)
  • Phone number
  • Date of birth
  • Security code, access code, password, or PIN for the account
  • Financial account number or credit card/debit card number

Jason’s Deli claims that the unauthorized party would not have been able to view an individual's entire payment or gift card number – but they may have access to the last four digits.

ADVERTISEMENT

Once the company learned of the incident, they began protecting accounts by identifying affected parties and requiring more robust user passwords.

The fast food chain urges customers to change their usernames and passwords across all accounts that these credentials may have been used.

The number of accounts that the unauthorized party was able to access is unknown.