News Heading - 1

Credential Stuffing Attack Exposes Data of Jason’s Deli Customers

  • Written by Shipra Sanganeria Cybersecurity & Tech Writer
  • Fact-Checked by Justyn Newman Former Lead Cybersecurity Editor

Popular US-based restaurant chain Jason’s Deli informed the customers registered with its online platform that their personal data might have been exposed in a data security incident.

According to the notification letter sent to customers and submitted to the Maine Attorney General’s Office, the incident was first discovered on December 21, 2023. The restaurant chain said that unknown hackers obtained credentials from data breach incidents unrelated to Jason’s Deli and used them to access its reward and online accounts.

“On December 21, 2023, we learned that an unauthorized party had obtained an unknown number of Deli Dollar and online account login credentials (usernames and passwords) most likely from other data breaches or other sources not involving Jason’s Deli,” the notice read.

According to the list submitted by the company, nearly 344,000 individuals were affected by this credential stuffing attack, and the personal information compromised may include:

  • Name
  • Address (all saved delivery address)
  • Phone number
  • Birthday
  • Contact list
  • House account number
  • Deli Dollars points
  • Truncated gift card/credit card numbers (last 4 digits)

Despite the type of information compromised, Jason’s believes that the attack can only be effective if the said users have reused the same credentials across multiple online platforms. Thus, making their Deli accounts susceptible to online hacking.

Jason’s Deli also revealed that although the incident was discovered, it was unable to confirm the number of accounts affected. “We do not know the number of accounts that the unauthorized party was able to access, but out of an abundance of caution, we are sending this notice to all potentially affected account holders,” it confirmed in the notification.

In addition to bolstering its data security, the company will also be restoring balances of impacted customers’ Deli Dollars account (wherever applicable). Customers are also advised to change their usernames and create complex passwords for Deli and other online accounts.

With more than 250 restaurants, Jason’s Deli is an American family-owned restaurant chain, employing over 6,000 employees across the US.

News Heading - 2

Massive Data Leak Exposes Billions of Personal Information

  • Written by Shipra Sanganeria Cybersecurity & Tech Writer
  • Fact-Checked by Justyn Newman Former Lead Cybersecurity Editor

In a never-before-seen database leak, security researchers found billions of personal information exposed online. The 12TB of information, containing over 26 billion records of previously exposed breaches was discovered by a team of cybersecurity researchers at Cybernews and Bob Diachenko .

Dubbed as the Mother of all Breaches, the exposed data is available on open instance and can be accessed by any user. It is said to contain data in over 3,800 folders, with each folder signifying a separate breach.

‘’While this doesn’t mean that the difference between the two automatically translates to previously unpublished data, billions of new records point to a very high probability, the MOAB contains never seen before information,’’ the researchers said.

Among the exposed records, the largest number is from Tencent customers (1.5 billion); Weibo, a Chinese messaging app like WhatsApp (504 million), MySpace (360 million); X (formerly Twitter) had 281 million records exposed, along with 251 million from LinkedIn. The list is also said to contain records of various companies and government organizations in Brazil, Germany, the US, among others.

Moreover, it is very likely that this leak does not contain data from any new undiscovered leak, but mainly contains records of past data breaches. Due to the high number of records, it is also likely to contain a sizable number of duplicates.

While the type of personal information contained in these records remains unclear, it is believed to contain ‘’far more information than just credentials – most of the exposed data is sensitive and, therefore, valuable for malicious actors,’’ the researchers believe.

‘’Every single data breach ever reported or sold was carefully collected by an unknown actor and left in a misconfigured instance,” tweeted Diachenko on X.

In light of this incident, it is imperative that users, especially those who reuse usernames and passwords, immediately change their passwords, enable 2-factor authentication, and stay vigilant of phishing emails and messages.