PHOENIX — Strangers eating and drinking on your dime...but you don't know it until it's too late.
Josh in Phoenix let me know he received an email from Chipotle Mexican Grill letting him know his order was ready.
And it was a big order: six chicken burritos, large queso and chips, and several chicken tacos. In all, $115 worth of food.
And Josh didn't order any of it.
His Chipotle mobile app account was hacked and somebody in Tempe was preparing to feast on his dime.
The company almost immediately canceled his account, but we found this has been happening for months.
One consumer says he got "6 $1000 charges on my credit card for chipotle. Bank took care of it...who bought 882 chicken burritos?" Another says, "...the orders were in different states throughout the country."
And "...$479 for 24 different orders. ... the day after i signed up for their new rewards program and stored my cc info."
So how does this happen? In a statement, a Chipotle spokesperson says in part: "We are among the many retail, hotel and restaurant companies affected by credential stuffing..."
That's when scammers flood websites' stolen usernames and password combinations to gain access to accounts.
If you use similar passwords across various accounts, experts say it makes yours more vulnerable.
A couple of ways to protect yourself here:
- Don't save your payment information
- Use two-factor authentication whenever you can. That requires a pass code sent to your phone or email (in addition to your user name and password) before allowing access to your account.
If you experience similar problems, you can contact Chipotle here.