Jason’s Deli Restaurant Chain Hit by a Credential Stuffing Attack

The personal information of more than 340,000 customers of popular restaurant chain Jason’s Deli may have been victims of a credential stuffing attack, a scheme in which the hacker uses stolen or leaked credentials to log into other online accounts.

In a notification to members of the business’ Deli Dollars rewards program or customers with a Jason’s Deli online account, company officials said they learned on December 21, 2023, that hackers had gotten ahold of Deli Dollar and online account login credentials “most likely from other data breaches or other sources not involving Jason’s Deli.”

“These unauthorized parties apparently used these login credentials to determine if they matched those of our reward and online accounts,” they wrote. “For example, if you utilized the same user name and password combination to open your Jason’s Deli account that was used on another website or account with a company that may have been compromised in the past, this would theoretically allow them access to your Jason’s Deli account.”

Jason’s Deli officials said the bad actors did not get the usernames and passwords used to get access into the accounts by hacking into the restaurant chain’s systems. The company doesn’t store or retain customer login credentials.

How Many Accounts is Unclear

That said, the business is unsure how many accounts were breached through the credential stuffing attack, so it sent the notice to all account holders or rewards program members. In a notice about the data breach sent to the state of Maine, they estimated 344,034 people could have been affected.

Among the personal information in an account that could have been stolen are customers’ names, addresses, phone numbers, birthdays, order history, contact lists and the names and email addresses used for sending group orders, Deli Dollars points and available redeemable amounts and banked rewards, and truncated gift card and credit card numbers.

“The unauthorized party would not have been able to view your entire payment/gift card number – potentially they would only have been able to view the last four digits,” they wrote.

Jason’s Deli is a sprawling business, with 250 locations spread over 28 states, mostly in the South and Midwest, though there are restaurants as far West as Las Vegas, up to Wisconsin in the North, and into Pennsylvania and Maryland.

Company officials said that once they learned about the intrusion, they began trying to identify affected accounts and requiring that account passwords be more complex. They also said they will restore the Deli Dollars accounts balances for customers and urged people to change the passwords to their count to ones that are not easy to guess and are not used on other websites or accounts.

Password Reuse a Problem

Credential stuffing attacks often take advantage of the habit of many people to reuse usernames and passwords for multiple online accounts, making the attack method a poster child for organizations that want to move away from passwords for user authentication.

IT giants like Google, Microsoft, and Google, as well as industry groups like the FIDO Alliance, are pushing to do away with passwords for authentication in favor of other options, such as passkeys. They also advocate for tools like multifactor authentication (MFA) in the meantime to add another lawyer to user verification.

People also can use password managers for creating and storing random passwords for websites and accounts.

A Lot of Online Accounts and Websites

According to VPN provider NordPass, the average person is juggling 100 passwords, and cybersecurity firm SpyCloud in a 2022 report found that 70% of people whose information was exposes in data breaches the year before reused passwords. SpyCloud also reported 64% of Fortune 1000 employees reused passwords across multiple sites.

Having so many accounts and passwords to remember is difficult for individuals to manage. However, until people start to move away from reusing passwords for multiple accounts, situations like that with Jason’s Deli will continue to happen, according to Omri Weinberg, co-founder and chief revenue office at SaaS security platform provider DoControl.

“If these users maintained a different password for every online account they create, then the compromise of another set of credentials could not affect Jason’s Deli (or anyone else),” Weinberg said. “Unfortunately, there is no way for Jason’s Deli or any organization to enforce the use of a unique password.”

The solution lies with “better education and consumer behavior online: specifically using a good password manager to maintain unique and complex passwords for every site or account they use,” he said.

Joseph Carson, chief security scientist and advisory CISO at cybersecurity Delinea, said that as long as companies let user choose their passwords, attacks like credential stuffing will happen. People should use a password vault, password manager, or a similar tool to ensure unique passwords for every account.

They also need to use MFA “so that even when accounts are compromised, the password is not the only security control protecting their data,” Carson said. “For businesses and services that provide online accounts, it is a reminder that when you allow users to choose their own passwords and store sensitive data on your systems, when you do not enforce strong passwords best practices [and] credential stuffing mitigations, and follow secure by design, it will result in users accounts eventually being compromised.”