Nando’s Hackers Feast on Customer Accounts


Level 75
Content Creator
Malware Hunter
Aug 17, 2014
Diners at a popular chicken-dinner chain have seen hundreds of dollars siphoned out of their bank accounts, after cybercriminals were able to access their restaurant ordering credentials. The issue though is that payment-card information is not stored within Nando’s accounts, leaving some questions as to how the hacks occurred.

The Nando’s chain of Peri-Peri chicken eateries is a fixture on most main drags in U.K. and European cities, with dozens of locations in the U.S. as well. It confirmed a credential-stuffing attack on Friday.

Credential-stuffing is accomplished by hackers who take advantage of users who often reuse the same passwords across multiple online accounts. The cyberattackers use stolen passwords and usernames from previous data breaches to brute-force accounts on a wide scale, and when a match is found, they can take over the victim’s account.

Multiple Nando’s customers said their usernames and passwords were stolen and the accounts used to place high-volume orders, according to reports. The mobile numbers were also changed on the impacted accounts.

“We can confirm that while our systems have not been hacked, unfortunately some individual Nando customer accounts have been accessed by a party or parties using a technique called credential-stuffing, whereby the customer’s email address and password have been stolen from somewhere else and, if they use the same details with us, used to access their Nando’s accounts,” Nando’s said in a press statement. “We take immediate action to refund anyone who has been impacted and secure those affected Nando’s accounts.”
It added, “We have made and are continuing to make investments to improve our detection and prevention of suspicious and malicious activity. We apologize to our customers who have been impacted by this.”
Last edited: