Hell Pizza Suffers Credential Stuffing Attack

Hell Pizza follows in the wake of Pizza Hut and Dominos by suffering a data breach of its own. However, unlike the other two pizza giants, Hell Pizza cybersecurity defences remain intact. This is because the incident in question pertains to a credential stuffing attack rather than a data breach.

In a credential stuffing attack, hackers attempt to throw known combinations of usernames and passwords (obtained from previous data breaches) at various websites in the hopes that customers will reuse their credentials on multiple different websites. For example, a person who registers with Hell Pizza may also use the same username and password combination to log into a different website (like YouTube).

The credential stuffing process is nearly always automated, with literal millions of login attempts per minute. This means that rate-limiting logins to only allow one login attempt per IP address every few seconds almost completely safeguards against such an attack. Unfortunately, this defence was lacking in the Hell Pizza attack detected on July 22.

"The important message we want to get through to the public and our customers is that the Hell system and database remains secure," said Hell chief executive Ben Cummings. "The attack was not a result of a technical compromise or breach of Hell systems; the attacker used legitimate email addresses and passwords to access customer accounts. We hope that this example can help educate people on the importance of best-practice password security."

Hell Pizza alerted affected customers via email: "For a small minority of customers, the attacker was able to log in and access that customer's information. Unfortunately, our analysis shows your account was likely accessed."

"Once the attacker had successfully logged in, they accessed information held on your customer profile. This may include: Your name, email address, and phone number. any stored addresses used for deliveries, some details of any stored credit/debit cards, including the cardholder name, expiry, and only parts of the card number, information about recent orders, including what was ordered and how much it cost."

"Please note that, in line with online payment standards, we do not store the full card number for credit/debit cards in our system. This means the full card number and the security code (CVV) were not able to be accessed."

Customers affected by the Hell Pizza incident will be required to change their password the next time they log in. Alpha Safe strongly encourages passwords to be unique for each website that requires a login. The Alpha Safe password suggestion remains a minimum length of twelve characters, with an emphasis on length over complexity. Additionally, Alpha Safe strongly recommends multi-factor authentication for all sites that support it.