It's a mystery that some Chipotle customers across the country don't understand.
Diners are reporting that shortly after ordering on Chipotle's app, someone else started billing phantom orders to their account.
Jessica Gallenstein is one of those diners. She recently placed an order through Chipotle's app, then picked her order up a few minutes later at Cincinnati's Western Hills store on Glenway Avenue.
"I just bought a meal for myself, and that was it," Gallenstein said.
But the next day her bank sent an alert her debit card was overdrawn. "My account was in negative amounts, and more than a hundred dollars were placed for orders I didn't give permission to be placed."
She couldn't believe what she saw when she logged into her banking app.
"I checked the transaction history and saw that multiple orders were placed through the Chipotle app without my permission," she said.
It showed a string of orders made over 24 hours, each ranging from $10 to $40, at several different Chipotle restaurants in the area, as if her password and user name had been shared among a group of friends.
How was her account hacked?
Luckily, her bank is dropping the charges. But Gallenstein wants to know who hacked her account.
"I'm disputing the charges, and they said they would take care of it at their end, but as for Chipotle, I've called them numerous times and haven't heard anything."
Chipotle admitted to a major data breach two years ago, back in 2017, but it says these new cases have nothing to do with that. And it tells the Nation's Restaurant News it has suffered no new breach this year.
But more than two dozen customers from all parts of the country have posted similar complaints on Reddit.
So we contacted Chipotle, where a spokeswoman told us via email:
"Chipotle customer accounts, like accounts for many other retail, hotel, and restaurant companies, have had instances of "credential stuffing", where user names and passwords stolen from other companies are tested to see if they work." (Full statement below)
Chipotle believes Gallenstein's password may have been stolen somewhere else, then used when she activated the app that evening.
But, she says "I've used other online ordering apps before and this has never happened to me." So she remains nervous, even though she has now changed her password.
How to protect yourself
So if you are a Chipotle customer, should you be concerned?
Not at this time. As long as you use a unique password, you should be fine. But it is important to make sure you are not using the same password on multiple sites.
If it is stolen from one, a hacker will try it with your email address at many popular sites (such as Chipotle), so be careful and don't waste your money.
Don't Waste Your Money" is a registered trademark of Scripps Media, Inc. ("Scripps").
Follow John on Twitter (@JohnMatarese)
For more consumer news and money saving advice, go to www.dontwasteyourmoney.com
FULL STATEMENT FROM CHIPOTLE:
"The privacy and security of our customer information is very important to us. Chipotle customer accounts, like customer accounts for many other retail, hotel, and restaurant companies, have had instances of credential stuffing. This occurs where user names and passwords stolen from other companies are tested to see if they work to access accounts at other companies. Chipotle has not identified any indication that user names and passwords were taken from Chipotle’s network, and Chipotle does not retain the full payment card number after it is used for digital orders. We have taken steps to combat credential stuffing including engaging with law enforcement, requiring strong passwords and through technology. We also engage security firms to evaluate our security measures. If a customer is ever concerned about activity in their account, they should contact our customer support team at CustomerServiceTeam@chipotle.com."
Laurie Schalow l Chief Corporate Reputation Officer, Chipotle