Red Rooster Has Been Hacked?

I just got this email…

My only question is "WHY?"

WHY would anyone bother with hacking an account for free chicken??? A whole BBQ chicken costs $15 at Red Rooster and you need to spend thousands of dollars to get enough points with them to get a chook - I'm pretty sure maybe 5 people in Australia have this many points!!!

Are they just using this as a form of advertising for themselves? Any publicity is good publicity!:

Hi Sir/Madam,

Red Rooster (a brand controlled by Craveable Brands Pty Ltd) has recently been informed by a small number of customers that their Red Royalty accounts were accessed by an unauthorised third party. Red Rooster treats any potential misuse of data, regardless of the extent of that misuse, exceptionally seriously. Our priority is to minimise any impact on you, our most loyal customers, specifically in this case, the potential impact being the misuse of your Red Royalty dollars.

We have conducted an investigation with a third party IT Security consultant and concluded that the issue is related to what is known as credential stuffing. Effectively, credentials such as an email and password combination are obtained from a data breach on one service and are used to attempt to log in to another unrelated service. These attempts have low success rates, but in this case, your account has been identified as one account at risk (i.e. it is possible that the unauthorised third party accessed your Red Royalty account). Red Rooster does not believe that its system was or has been hacked by the third party. However, unauthorised access to your account could result in the third party obtaining your name, address (residential and/or email), phone number or birth date information if this is stored in your account. It could also result in your Red Royalty dollars being redeemed without your consent.

Most important for you at this time is completing some recommended next steps:

Monitor your Red Royalty account for unauthorised use of your loyalty dollars. If you believe that you have been impacted, you may reach out to us here.

Change your password on your Red Royalty account by clicking here.

It is best practice to not use the same username and password combination across multiple accounts. If you routinely use the same password across different services, it is recommended that you change the password on other accounts that you may have.

Continually be wary of phishing emails, telephone calls and text messages from any service requesting personal information. Avoid opening scam emails and text messages with attachments and links from unknown senders.

Related Stores

Red Rooster
Red Rooster

Comments

  • +2 votes

    товарищ Hungry.

  •  

    Free chicken! Why not? People steal anything and everything.

  • +5 votes

    Effectively, credentials such as an email and password combination are obtained from a data breach on one service and are used to attempt to log in to another unrelated service.

    also: name, address (residential and/or email), phone number or birth date

    The details are sold on the dark web.

  •  

    People reuse passwords. And hackers can cross reference data from multiple hacks/sources to build complete enough profiles to then commit identity theft.

  • +2 votes

    I mean, at least they emailed you about it, dominos australia got hacked and we were told nothing. I couldn't figure out why I kept getting emails asking me about my croyden address (since I don't live there) until someone I think on ozbargain commented Doominos got hacked that I realized thats where I've been ordering all my dominos from.

  • +1 vote

    Speaking as a software developer:

    Well, simple, because they can. Challenge accepted.

  • +2 votes

    This is why I use a secure password like hunter42

  •  

    I got this too. Bizarre they state this is credential stuffing because I don't use the email or mobile with this password any on other sites.

    •  

      From the email (my emphasis):

      your account has been identified as one account at risk (i.e. it is possible that the unauthorised third party accessed your Red Royalty account).

      Looks like they ran some algorithm to determine possible suspicious logins to all the accounts. Seems like your logins look "suspicious" 😉 (One possible source of false positives would be if you use a VPN.)

  •  

    Strange, i got the email, i opened my app, it had the name 'null' all my details gone ? no card number, nothing, so i logged put, changed my password, logged back in and now all my details and card number are now there ? Strange !!!

  •  

    Red Rooster should be preventing users from using a breached password if they want to follow best practice

    https://developer.okta.com/blog/2018/06/11/how-to-prevent-yo...