CINXE.COM

<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:site" content="@verge"/><meta property="fb:app_id" content="549923288395304"/><meta property="og:site_name" content="The Verge"/><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"/><meta name="apple-mobile-web-app-title" content="Verge"/><meta name="google-site-verification" content="IucFf_TKtbFFH8_YeFyEteQIwYPdANM1R46_U9DpAr4"/><link rel="alternate" type="application/rss+xml" title="The Verge" href="/rss/index.xml"/><title>Chipotle says ‘most’ of its restaurants were infected with credit card stealing malware - The Verge</title><meta name="robots" content="index,follow,max-image-preview:large"/><meta name="description" content="exe.coli"/><meta property="og:title" content="Chipotle says ‘most’ of its restaurants were infected with credit card stealing malware"/><meta property="og:description" content="exe.coli"/><meta property="og:url" content="https://www.theverge.com/2017/5/26/15701776/chipotle-restaurants-hacked-credit-card-malware"/><meta property="og:type" content="article"/><meta property="article:published_time" content="2017-05-26T19:49:16.000Z"/><meta property="article:modified_time" content="2017-05-26T19:49:16.000Z"/><meta property="og:image" content="https://cdn.vox-cdn.com/thumbor/YCmbhcMjQx25iYXt4Vhb830euEA=/0x0:1100x733/1200x628/filters:focal(550x367:551x368)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg"/><meta property="og:image:alt" content="chipotle"/><meta property="og:image:type" content="image/jpeg"/><meta property="og:image:width" content="1200"/><meta property="og:image:height" content="628"/><link rel="canonical" href="https://www.theverge.com/2017/5/26/15701776/chipotle-restaurants-hacked-credit-card-malware"/><meta property="author" content="Natt Garun"/><meta name="parsely-type" content="post"/><meta name="parsely-title" content="Chipotle says ‘most’ of its restaurants were infected with credit card stealing malware"/><meta name="parsely-link" content="https://www.theverge.com/2017/5/26/15701776/chipotle-restaurants-hacked-credit-card-malware"/><meta name="parsely-image-url" content="https://cdn.vox-cdn.com/thumbor/YCmbhcMjQx25iYXt4Vhb830euEA=/0x0:1100x733/1200x628/filters:focal(550x367:551x368)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg"/><meta name="parsely-pub-date" content="2017-05-26T19:49:16.000Z"/><meta name="parsely-section" content="front-page"/><meta name="parsely-tags" content="verge"/><meta name="parsely-author" content="Natt Garun"/><script type="application/ld+json">{"@context":"http://schema.org/","@type":"NewsArticle","headline":"Chipotle says ‘most’ of its restaurants were infected with credit card stealing malware","description":"exe.coli","datePublished":"2017-05-26T19:49:16.000Z","dateModified":"2017-05-26T19:49:16.000Z","thumbnailUrl":"https://cdn.vox-cdn.com/thumbor/aIjGnIAV3tFpqnpF_F4bqjZ3UsQ=/0x0:1100x733/1400x788/filters:focal(550x367:551x368)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg","author":[{"@type":"Person","name":"Natt Garun","url":"https://www.theverge.com/authors/natt-garun"}],"publisher":{"@type":"Organization","name":"The Verge","logo":{"@type":"ImageObject","url":"https://cdn.vox-cdn.com/uploads/chorus_asset/file/24015294/verge_duet_google_news.png","width":250,"height":50}},"image":[{"@type":"ImageObject","url":"https://cdn.vox-cdn.com/thumbor/aIjGnIAV3tFpqnpF_F4bqjZ3UsQ=/0x0:1100x733/1400x788/filters:focal(550x367:551x368)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg","width":1400,"height":788},{"@type":"ImageObject","url":"https://cdn.vox-cdn.com/thumbor/cdBjjyHBd8bCiPof2hSFqNfKSIE=/0x0:1100x733/1400x1050/filters:focal(550x367:551x368)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg","width":1400,"height":1050},{"@type":"ImageObject","url":"https://cdn.vox-cdn.com/thumbor/QCDvXVA3oPP3ENtZwhRGBLlsdzI=/0x0:1100x733/1400x1400/filters:focal(550x367:551x368)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg","width":1400,"height":1400}],"url":"https://www.theverge.com/2017/5/26/15701776/chipotle-restaurants-hacked-credit-card-malware","articleBody":"Chipotle Mexican Grill today announced that it has identified the malware that was responsible for the credit card hack earlier this year. Alongside the news, it also released a new tool to help customers check whether the restaurant they visited was involved. When pressed by The Verge, Chipotle did not disclose the exact numbers of restaurants affected, but said “most” locations nationwide may have been involved.\n\n“The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device,” Chipotle said in a statement. “There is no indication that other customer information was affected.”\n\n\"every state Chipotle operates in had restaurants that were breached\"\n\nWe browsed through the tool and found that every state Chipotle operates in had restaurants that were breached, including most major cities. The restaurants were vulnerable in various time frames between March 24th and April 18th, 2017. Chipotle also operates another chain called Pizzeria Locale, which was affected by the hack as well. (The list of identified restaurants can be found here, which includes locations in Kansas, Missouri, Colorado, and Ohio.) \n\nChipotle noted that not all locations have been identified, but it’s a starting guide to check whether your visit lines up with the breached period. If so, the company suggests you file a police report, contact the Federal Trade Commission, or place a fraud alert or security freeze on your bank account. The latter may require out-of-pocket charges, which the customer is liable for. Chipotle isn’t legally required to offer credit protection for affected customers, making it just another one of the many things Chipotle can screw you over for.\n"}</script><link rel="preload" as="image" imageSrcSet="https://duet-cdn.vox-cdn.com/thumbor/0x0:1100x733/16x11/filters:focal(550x367:551x368):format(webp)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg 16w, https://duet-cdn.vox-cdn.com/thumbor/0x0:1100x733/32x21/filters:focal(550x367:551x368):format(webp)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg 32w, https://duet-cdn.vox-cdn.com/thumbor/0x0:1100x733/48x32/filters:focal(550x367:551x368):format(webp)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg 48w, https://duet-cdn.vox-cdn.com/thumbor/0x0:1100x733/64x43/filters:focal(550x367:551x368):format(webp)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg 64w, https://duet-cdn.vox-cdn.com/thumbor/0x0:1100x733/96x64/filters:focal(550x367:551x368):format(webp)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg 96w, https://duet-cdn.vox-cdn.com/thumbor/0x0:1100x733/128x85/filters:focal(550x367:551x368):format(webp)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg 128w, https://duet-cdn.vox-cdn.com/thumbor/0x0:1100x733/256x171/filters:focal(550x367:551x368):format(webp)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg 256w, https://duet-cdn.vox-cdn.com/thumbor/0x0:1100x733/376x251/filters:focal(550x367:551x368):format(webp)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg 376w, https://duet-cdn.vox-cdn.com/thumbor/0x0:1100x733/384x256/filters:focal(550x367:551x368):format(webp)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg 384w, https://duet-cdn.vox-cdn.com/thumbor/0x0:1100x733/415x277/filters:focal(550x367:551x368):format(webp)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg 415w, https://duet-cdn.vox-cdn.com/thumbor/0x0:1100x733/480x320/filters:focal(550x367:551x368):format(webp)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg 480w, https://duet-cdn.vox-cdn.com/thumbor/0x0:1100x733/540x360/filters:focal(550x367:551x368):format(webp)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg 540w, https://duet-cdn.vox-cdn.com/thumbor/0x0:1100x733/640x427/filters:focal(550x367:551x368):format(webp)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg 640w, https://duet-cdn.vox-cdn.com/thumbor/0x0:1100x733/750x500/filters:focal(550x367:551x368):format(webp)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg 750w, https://duet-cdn.vox-cdn.com/thumbor/0x0:1100x733/828x552/filters:focal(550x367:551x368):format(webp)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg 828w, https://duet-cdn.vox-cdn.com/thumbor/0x0:1100x733/1080x720/filters:focal(550x367:551x368):format(webp)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg 1080w, https://duet-cdn.vox-cdn.com/thumbor/0x0:1100x733/1200x800/filters:focal(550x367:551x368):format(webp)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg 1200w, https://duet-cdn.vox-cdn.com/thumbor/0x0:1100x733/1440x960/filters:focal(550x367:551x368):format(webp)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg 1440w, https://duet-cdn.vox-cdn.com/thumbor/0x0:1100x733/1920x1280/filters:focal(550x367:551x368):format(webp)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg 1920w, https://duet-cdn.vox-cdn.com/thumbor/0x0:1100x733/2048x1365/filters:focal(550x367:551x368):format(webp)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg 2048w, https://duet-cdn.vox-cdn.com/thumbor/0x0:1100x733/2400x1600/filters:focal(550x367:551x368):format(webp)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg 2400w" imageSizes="(max-width: 768px) calc(100vw - 100px), (max-width: 1180px) 700px, 600px"/><meta name="next-head-count" content="35"/><meta name="robots" content="nocache"/><script src="https://cdn.bullwhip.cloud/sonar/vox-verge.umd.js" async=""></script><link rel="me" href="https://mastodon.social/@verge"/><link rel="shortcut icon" href="/icons/favicon.ico"/><link rel="apple-touch-icon" sizes="180x180" href="/icons/apple_touch_icon.png"/><link rel="icon" type="image/png" sizes="32x32" href="/icons/favicon_32x32.png"/><link rel="icon" type="image/png" sizes="96x96" href="/icons/favicon_96x96.png"/><link rel="icon" type="image/png" sizes="16x16" href="/icons/favicon_16x16.png"/><link rel="mask-icon" href="/icons/safari_pinned_tab.svg" color="#5200ff"/><link rel="icon" type="image/png" href="/icons/android_chrome_192x192.png" sizes="192x192"/><link rel="icon" type="image/png" href="/icons/android_chrome_512x512.png" sizes="512x512"/><link rel="dns-prefetch" href="https://pagead2.googlesyndication.com"/><link rel="dns-prefetch" href="https://micro.rubiconproject.com/prebid/dynamic/7470.js"/><link rel="dns-prefetch" href="https://securepubads.g.doubleclick.net"/><link rel="dns-prefetch" href="https://stats.g.doubleclick.net"/><link rel="dns-prefetch" href="https://www.google-analytics.com"/><link rel="dns-prefetch" href="https://cdn.permutive.com"/><link rel="preload" href="/_next/static/media/b61d461e2e1d8573-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"/><link rel="preload" href="/_next/static/media/af51b8e80b7e5b97-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"/><link rel="preload" href="/_next/static/media/4c161430243654b9-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"/><link rel="preload" href="/_next/static/media/faa4a7ab7fe4ff34-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"/><link rel="preload" href="/_next/static/media/e0d450417c4fcdb2-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"/><link rel="preload" href="/_next/static/media/c6806ee6b9a6284f-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"/><link rel="preload" href="/_next/static/media/167de315d6f8820c-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"/><link rel="preload" href="/_next/static/media/c32d4f9e62509b70-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"/><link rel="preload" href="/_next/static/media/8314bd48671746e7-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"/><link rel="preload" href="/_next/static/media/1acdcb23bd60cdf8-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"/><link rel="preload" href="/_next/static/media/e334064d2786be51-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"/><link rel="preload" href="/_next/static/media/dbe24bfb7e9bcd79-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"/><link rel="preload" href="/_next/static/media/caa65695070c604f-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"/><link rel="preload" href="/_next/static/media/7f8638c9585902a6-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"/><link rel="preload" href="/_next/static/media/d2cd5f6e542bad4c-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"/><link rel="preload" href="/_next/static/media/857aa1a339c7fe20-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"/><link rel="preload" href="/_next/static/media/516340c748fee9da-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"/><link rel="preload" href="/_next/static/media/afa7a955b67174eb-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"/><link rel="preload" href="/_next/static/media/d2ddd5a6c0493c79-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"/><link rel="preload" href="/_next/static/media/70754f98ca969379-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"/><link rel="preload" href="/_next/static/media/60369a8d37d9d5b8-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"/><link rel="preload" href="/_next/static/media/96fec850ad729c00-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"/><script type="text/javascript" id="one_trust" data-nscript="beforeInteractive">function OptanonWrapper() </script><link rel="preload" href="/_next/static/css/d4c5b36c8bb8cf0d.css" as="style"/><link rel="stylesheet" href="/_next/static/css/d4c5b36c8bb8cf0d.css" data-n-g=""/><link rel="preload" href="/_next/static/css/08d3084d19fc06f3.css" as="style"/><link rel="stylesheet" href="/_next/static/css/08d3084d19fc06f3.css" data-n-p=""/><noscript data-n-css=""></noscript><script defer="" nomodule="" src="/_next/static/chunks/polyfills-78c92fac7aa8fdd8.js"></script><script src="https://cdn.cookielaw.org/scripttemplates/otSDKStub.js" type="text/javascript" charSet="UTF-8" data-domain-script="3a41add1-8129-4584-aafc-e0da9979d233" async="" defer="" data-nscript="beforeInteractive"></script><script src="https://micro.rubiconproject.com/prebid/dynamic/7470.js" async="" defer="" data-nscript="beforeInteractive"></script><script src="https://c.amazon-adsystem.com/aax2/apstag.js" async="" defer="" data-nscript="beforeInteractive"></script><script src="https://www.googletagservices.com/tag/js/gpt.js" async="" defer="" data-nscript="beforeInteractive"></script><script src="https://cdn.concert.io/lib/concert-ads/v2-latest/concert_ads.js" async="" defer="" data-nscript="beforeInteractive"></script><script src="https://cdn.concert.io/lib/concert-concierge.2.10.1.min.js" async="" defer="" data-nscript="beforeInteractive"></script><script src="https://pub.doubleverify.com/dvtag/21236410/DV464041/pub.js" async="" defer="" data-nscript="beforeInteractive"></script><script src="/_next/static/chunks/webpack-eef9d6bb51d7e04e.js" defer=""></script><script src="/_next/static/chunks/framework-1d2b8554342c6a75.js" defer=""></script><script src="/_next/static/chunks/main-a19b11f4c6f53406.js" defer=""></script><script src="/_next/static/chunks/pages/_app-f37f458b574f2e23.js" defer=""></script><script src="/_next/static/chunks/7404-a1bc449f4440a25c.js" defer=""></script><script src="/_next/static/chunks/5833-5ad65b6eeff676da.js" defer=""></script><script src="/_next/static/chunks/6290-a9eda2c180cfb8cd.js" defer=""></script><script src="/_next/static/chunks/5271-346d91caff9b1218.js" defer=""></script><script src="/_next/static/chunks/3882-4e711a09aa4476ce.js" defer=""></script><script src="/_next/static/chunks/2156-6ec5849a2514173a.js" defer=""></script><script src="/_next/static/chunks/996-f415a23a59cde4f1.js" defer=""></script><script src="/_next/static/chunks/3494-79231dcbde5aec1f.js" defer=""></script><script src="/_next/static/chunks/5207-43db110d3fd66f84.js" defer=""></script><script src="/_next/static/chunks/6276-ea6f3169216875c5.js" defer=""></script><script src="/_next/static/chunks/4889-8f8183d20c3f8103.js" defer=""></script><script src="/_next/static/chunks/9546-616c63fbef178ffc.js" defer=""></script><script src="/_next/static/chunks/1269-072c3ccc6c655f31.js" defer=""></script><script src="/_next/static/chunks/825-ca247d4c069b48ce.js" defer=""></script><script src="/_next/static/chunks/4640-33e62f43d3f652bf.js" defer=""></script><script src="/_next/static/chunks/6901-24863ddc8c5fe735.js" defer=""></script><script src="/_next/static/chunks/pages/entry/standard/%5Buid%5D-1342d0bb04871557.js" defer=""></script><script src="/_next/static/eRiIIZjNhI1r-REYnWsjp/_buildManifest.js" defer=""></script><script src="/_next/static/eRiIIZjNhI1r-REYnWsjp/_ssgManifest.js" defer=""></script><style id="__jsx-2324231005">:root{--font-fkroman:'__fkRomanStandard_6bdc6d', '__fkRomanStandard_Fallback_6bdc6d', Georgia, serif;--font-manuka:'__manuka_e0d4a3', '__manuka_Fallback_e0d4a3', Impact, Helvetica, sans-serif;--font-polysans:'__polySans_c60300', '__polySans_Fallback_c60300', Helvetica, Arial, sans-serif;--font-polysans-mono:'__polySansMono_0d16dc', '__polySansMono_Fallback_0d16dc', Courier New, Courier, monospace}</style></head><body class="antialiased"><div id="__next"><style> *, *::before, *::after { transition: none!important; } </style><div class="jsx-2324231005 duet--app"><a class="text-2xl text-pink-500 border-b-pink-500 focus:outline-pink-500 sr-only z-50 block border-8 bg-white p-7 text-center opacity-0 transition-opacity focus:visible focus:static focus:h-auto focus:w-full focus:overflow-auto focus:opacity-100 focus:outline-dotted" href="#content">Skip to main content</a><div class=""><div class="duet--navigation--navigation"><div class="absolute h-[64px] w-full overflow-x-hidden md:h-[150px]"><div class="relative h-[64px] w-full max-w-container-lg md:left-1/2 md:h-[150px] md:-translate-x-1/2"><a href="/"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 309 70" role="img" class="absolute left-[-16px] top-[-3px] z-0 h-[64px] w-[282px] md:h-[174px] md:w-[769px] md:left-[-200px] md:top-[-24px] fill-franklin md:fill-franklin/50" width="100%" height="100%" fill="none"><title>The Verge</title><desc>The Verge logo.</desc><path d="m231.196 17.897-.302 9.071c-10.592-.726-13.618 1.996-13.618 10.885V39h-9.078V18.441h9.078v5.866c2.724-4.777 6.416-6.954 13.92-6.41ZM15.131 54.786h9.078V19.71h-9.078v35.075Zm44.968-36.828c-6.355 0-10.228 2.842-12.286 5.986V4.593H0v8.466h39.34V39h8.654c0-7.438 4.298-12.697 9.563-12.697 4.54 0 6.597 2.237 6.597 10.28v18.203h9.078V33.318c0-10.28-5.265-15.36-13.133-15.36ZM95.807 47.83c-5.507 0-9.078-3.326-9.683-8.829H77.59c.847 9.676 7.202 16.51 18.157 16.51 8.473 0 13.254-3.81 15.736-9.555l-7.687-3.387c-1.15 3.447-3.268 5.261-7.989 5.261Zm-.363-29.692a19.226 19.226 0 0 0-9.32 2.177l4.357 6.168c1.634-.846 3.39-1.27 5.266-1.21 5.084 0 7.686 3.327 8.049 7.68H95.02v6.048h17.31c.121-.907.182-1.754.182-2.66.06-13.184-8.655-18.203-17.068-18.203ZM185.32 47.83c-5.507 0-9.078-3.326-9.683-8.829h-8.534c.847 9.676 7.202 16.51 18.157 16.51 8.473 0 13.254-3.81 15.736-9.555l-7.687-3.387c-1.21 3.447-3.328 5.261-7.989 5.261Zm-.302-29.692a19.226 19.226 0 0 0-9.321 2.177l4.358 6.168c1.634-.846 3.389-1.27 5.265-1.21 5.084 0 7.687 3.327 8.05 7.68h-8.776v6.048h17.31c.121-.907.181-1.754.181-2.66.061-13.184-8.655-18.203-17.067-18.203ZM291.416 47.83c-5.507 0-9.078-3.326-9.683-8.829h-8.534c.847 9.676 7.202 16.51 18.157 16.51 8.473 0 13.254-3.81 15.736-9.555l-7.687-3.387c-1.21 3.447-3.328 5.261-7.989 5.261Zm-.484-29.692a19.225 19.225 0 0 0-9.32 2.177l4.357 6.168c1.635-.846 3.39-1.27 5.266-1.21 5.084 0 7.686 3.327 8.049 7.68h-8.775v6.048h17.309c.121-.907.182-1.754.182-2.66.06-13.184-8.655-18.203-17.068-18.203ZM117.172.299 133.5 39h9.926L130.971 8.221h16.099V.36L117.172.3Zm48.418.06L146.888 47.71l-2.784 7.076h9.502L176.06.36h-10.47Zm83.461 53.58c3.873 0 7.081-1.089 9.32-2.963l-3.631-5.745c-1.15.484-2.421.665-3.692.665-4.963 0-7.808-2.963-8.776-6.894h-8.897c1.211 8.406 7.263 14.937 15.676 14.937Zm11.196-30.418c-2.057-3.265-6.234-5.624-12.044-5.624-5.689-.06-10.954 3.024-13.738 8.043l7.565 4.838c1.392-2.903 4.116-4.838 8.292-4.838 5.931 0 9.925 4.596 9.925 10.038 0 1.029-.121 2.057-.423 3.024h9.502v-20.5h-9.079v5.019Zm-8.775 38.642c-5.871 0-8.05-2.842-8.474-6.168h-8.654c.181 6.35 4.418 13.304 17.309 13.304 8.715 0 14.404-4.354 16.765-10.885l-8.171-2.842c-1.15 4.233-4.297 6.591-8.775 6.591Z"></path></svg></a><a class="absolute left-0 top-0 z-10 h-[60px] w-[265px] md:hidden" href="/"><span class="sr-only">The Verge homepage</span></a></div></div><div class="md:px-34 pointer-events-none relative mx-auto mb-16 flex h-[48px] w-full max-w-container-lg items-end px-20 font-polysans text-15 md:mb-80 md:h-80 md:text-19 lg:px-0"><nav class="pointer-events-auto relative ml-auto border-b pb-6 md:pb-8 text-black"><ul class="flex items-end font-light"><li class="hidden md:flex"><a href="/"><span class="sr-only">The Verge homepage</span><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 309 70" role="img" class="h-[28px] w-[117px] hover:opacity-60 hover:transition-all hover:ease-in-out md:translate-y-2 fill-black" width="100%" height="100%" fill="none"><title>The Verge</title><desc>The Verge logo.</desc><path d="m231.196 17.897-.302 9.071c-10.592-.726-13.618 1.996-13.618 10.885V39h-9.078V18.441h9.078v5.866c2.724-4.777 6.416-6.954 13.92-6.41ZM15.131 54.786h9.078V19.71h-9.078v35.075Zm44.968-36.828c-6.355 0-10.228 2.842-12.286 5.986V4.593H0v8.466h39.34V39h8.654c0-7.438 4.298-12.697 9.563-12.697 4.54 0 6.597 2.237 6.597 10.28v18.203h9.078V33.318c0-10.28-5.265-15.36-13.133-15.36ZM95.807 47.83c-5.507 0-9.078-3.326-9.683-8.829H77.59c.847 9.676 7.202 16.51 18.157 16.51 8.473 0 13.254-3.81 15.736-9.555l-7.687-3.387c-1.15 3.447-3.268 5.261-7.989 5.261Zm-.363-29.692a19.226 19.226 0 0 0-9.32 2.177l4.357 6.168c1.634-.846 3.39-1.27 5.266-1.21 5.084 0 7.686 3.327 8.049 7.68H95.02v6.048h17.31c.121-.907.182-1.754.182-2.66.06-13.184-8.655-18.203-17.068-18.203ZM185.32 47.83c-5.507 0-9.078-3.326-9.683-8.829h-8.534c.847 9.676 7.202 16.51 18.157 16.51 8.473 0 13.254-3.81 15.736-9.555l-7.687-3.387c-1.21 3.447-3.328 5.261-7.989 5.261Zm-.302-29.692a19.226 19.226 0 0 0-9.321 2.177l4.358 6.168c1.634-.846 3.389-1.27 5.265-1.21 5.084 0 7.687 3.327 8.05 7.68h-8.776v6.048h17.31c.121-.907.181-1.754.181-2.66.061-13.184-8.655-18.203-17.067-18.203ZM291.416 47.83c-5.507 0-9.078-3.326-9.683-8.829h-8.534c.847 9.676 7.202 16.51 18.157 16.51 8.473 0 13.254-3.81 15.736-9.555l-7.687-3.387c-1.21 3.447-3.328 5.261-7.989 5.261Zm-.484-29.692a19.225 19.225 0 0 0-9.32 2.177l4.357 6.168c1.635-.846 3.39-1.27 5.266-1.21 5.084 0 7.686 3.327 8.049 7.68h-8.775v6.048h17.309c.121-.907.182-1.754.182-2.66.06-13.184-8.655-18.203-17.068-18.203ZM117.172.299 133.5 39h9.926L130.971 8.221h16.099V.36L117.172.3Zm48.418.06L146.888 47.71l-2.784 7.076h9.502L176.06.36h-10.47Zm83.461 53.58c3.873 0 7.081-1.089 9.32-2.963l-3.631-5.745c-1.15.484-2.421.665-3.692.665-4.963 0-7.808-2.963-8.776-6.894h-8.897c1.211 8.406 7.263 14.937 15.676 14.937Zm11.196-30.418c-2.057-3.265-6.234-5.624-12.044-5.624-5.689-.06-10.954 3.024-13.738 8.043l7.565 4.838c1.392-2.903 4.116-4.838 8.292-4.838 5.931 0 9.925 4.596 9.925 10.038 0 1.029-.121 2.057-.423 3.024h9.502v-20.5h-9.079v5.019Zm-8.775 38.642c-5.871 0-8.05-2.842-8.474-6.168h-8.654c.181 6.35 4.418 13.304 17.309 13.304 8.715 0 14.404-4.354 16.765-10.885l-8.171-2.842c-1.15 4.233-4.297 6.591-8.775 6.591Z"></path></svg></a><span aria-hidden="true" class="hidden px-16 md:inline">/</span></li><li class="hidden md:inline"><a href="/tech" class="hover:opacity-50 hover:transition-all hover:ease-in-out">Tech</a><span aria-hidden="true" class="hidden px-16 md:inline">/</span></li><li class="hidden md:inline"><a href="/reviews" class="hover:opacity-50 hover:transition-all hover:ease-in-out">Reviews</a><span aria-hidden="true" class="hidden px-16 md:inline">/</span></li><li class="hidden md:inline"><a href="/science" class="hover:opacity-50 hover:transition-all hover:ease-in-out">Science</a><span aria-hidden="true" class="hidden px-16 md:inline">/</span></li><li class="hidden md:inline"><a href="/entertainment" class="hover:opacity-50 hover:transition-all hover:ease-in-out">Entertainment</a><span aria-hidden="true" class="hidden px-16 md:inline">/</span></li><li class="hidden md:inline"><a href="/ai-artificial-intelligence" class="hover:opacity-50 hover:transition-all hover:ease-in-out tracking-widest">AI</a><span aria-hidden="true" class="hidden px-16 md:inline">/</span></li><li><button class="flex cursor-pointer flex-nowrap items-center hover:opacity-50 hover:transition-all hover:ease-in-out"><span class="hidden md:inline">More</span><span class="md:hidden">Menu</span><svg width="100%" height="100%" viewBox="0 0 28 28" xmlns="http://www.w3.org/2000/svg" class="ml-8 inline-block h-18 w-18 md:mt-2 md:h-[22px] md:w-[22px] fill-black"><title>Expand</title><path d="M28 11.76H16.24V0h-4.48v11.76H0v4.48h11.76V28h4.48V16.24H28v-4.48Z"></path></svg></button></li></ul></nav></div></div><div class="duet--navigation--sticky-nav fixed inset-x-0 top-0 z-40 w-full bg-white drop-shadow-sticky-nav transition-opacity duration-200 pointer-events-none opacity-0"><div class="mx-auto flex h-50 w-full max-w-container-lg items-center justify-between justify-self-start px-12 lg:px-0"><a class="flex" href="/" aria-label="The Verge logo. Click to visit the homepage" tabindex="-1"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 309 70" role="img" class="w-[141px] fill-black hover:opacity-60 hover:transition-all hover:ease-in-out" width="100%" height="100%" fill="none"><title>The Verge</title><desc>The Verge logo.</desc><path d="m231.196 17.897-.302 9.071c-10.592-.726-13.618 1.996-13.618 10.885V39h-9.078V18.441h9.078v5.866c2.724-4.777 6.416-6.954 13.92-6.41ZM15.131 54.786h9.078V19.71h-9.078v35.075Zm44.968-36.828c-6.355 0-10.228 2.842-12.286 5.986V4.593H0v8.466h39.34V39h8.654c0-7.438 4.298-12.697 9.563-12.697 4.54 0 6.597 2.237 6.597 10.28v18.203h9.078V33.318c0-10.28-5.265-15.36-13.133-15.36ZM95.807 47.83c-5.507 0-9.078-3.326-9.683-8.829H77.59c.847 9.676 7.202 16.51 18.157 16.51 8.473 0 13.254-3.81 15.736-9.555l-7.687-3.387c-1.15 3.447-3.268 5.261-7.989 5.261Zm-.363-29.692a19.226 19.226 0 0 0-9.32 2.177l4.357 6.168c1.634-.846 3.39-1.27 5.266-1.21 5.084 0 7.686 3.327 8.049 7.68H95.02v6.048h17.31c.121-.907.182-1.754.182-2.66.06-13.184-8.655-18.203-17.068-18.203ZM185.32 47.83c-5.507 0-9.078-3.326-9.683-8.829h-8.534c.847 9.676 7.202 16.51 18.157 16.51 8.473 0 13.254-3.81 15.736-9.555l-7.687-3.387c-1.21 3.447-3.328 5.261-7.989 5.261Zm-.302-29.692a19.226 19.226 0 0 0-9.321 2.177l4.358 6.168c1.634-.846 3.389-1.27 5.265-1.21 5.084 0 7.687 3.327 8.05 7.68h-8.776v6.048h17.31c.121-.907.181-1.754.181-2.66.061-13.184-8.655-18.203-17.067-18.203ZM291.416 47.83c-5.507 0-9.078-3.326-9.683-8.829h-8.534c.847 9.676 7.202 16.51 18.157 16.51 8.473 0 13.254-3.81 15.736-9.555l-7.687-3.387c-1.21 3.447-3.328 5.261-7.989 5.261Zm-.484-29.692a19.225 19.225 0 0 0-9.32 2.177l4.357 6.168c1.635-.846 3.39-1.27 5.266-1.21 5.084 0 7.686 3.327 8.049 7.68h-8.775v6.048h17.309c.121-.907.182-1.754.182-2.66.06-13.184-8.655-18.203-17.068-18.203ZM117.172.299 133.5 39h9.926L130.971 8.221h16.099V.36L117.172.3Zm48.418.06L146.888 47.71l-2.784 7.076h9.502L176.06.36h-10.47Zm83.461 53.58c3.873 0 7.081-1.089 9.32-2.963l-3.631-5.745c-1.15.484-2.421.665-3.692.665-4.963 0-7.808-2.963-8.776-6.894h-8.897c1.211 8.406 7.263 14.937 15.676 14.937Zm11.196-30.418c-2.057-3.265-6.234-5.624-12.044-5.624-5.689-.06-10.954 3.024-13.738 8.043l7.565 4.838c1.392-2.903 4.116-4.838 8.292-4.838 5.931 0 9.925 4.596 9.925 10.038 0 1.029-.121 2.057-.423 3.024h9.502v-20.5h-9.079v5.019Zm-8.775 38.642c-5.871 0-8.05-2.842-8.474-6.168h-8.654c.181 6.35 4.418 13.304 17.309 13.304 8.715 0 14.404-4.354 16.765-10.885l-8.171-2.842c-1.15 4.233-4.297 6.591-8.775 6.591Z"></path></svg></a><div class="group flex flex-nowrap"><button class="cursor-pointer items-center font-polysans text-15 flex"><span class="group-hover:opacity-60">Menu</span><svg width="100%" height="100%" viewBox="0 0 28 28" xmlns="http://www.w3.org/2000/svg" class="ml-8 inline-block h-18 w-18 fill-black group-hover:opacity-60 md:mt-2 md:h-[22px] md:w-[22px]"><title>Expand</title><path d="M28 11.76H16.24V0h-4.48v11.76H0v4.48h11.76V28h4.48V16.24H28v-4.48Z"></path></svg></button></div></div></div></div><div class="duet--page-layout--standard-article"><div style="position:fixed;top:1px;left:1px;width:1px;height:0;padding:0;margin:-1px;overflow:hidden;clip:rect(0, 0, 0, 0);white-space:nowrap;border-width:0;display:none"></div><main class="md:px-34 relative px-20"><div style="min-height:90px;min-width:728px;margin-top:40px;margin-bottom:40px" class="_1gsaw2w0 _1gsaw2w3" data-concert="tablet_leaderboard"></div><div style="min-height:90px;min-width:728px;margin-top:100px;margin-bottom:60px" class="_1gsaw2w0 _1gsaw2w5" data-concert="desktop_leaderboard_variable"></div><article id="content" class="mx-auto my-24 w-full max-w-container-lg md:mt-16 lg:mt-45"><div class="duet--article--lede mx-auto mb-28 w-full md:max-w-container-md lg:mb-36 lg:max-w-none"><ul class="lg:px-0 article-groups leading-100 mb-8"></ul><h1 class="mb-28 hidden max-w-[900px] font-polysans text-45 font-bold leading-100 selection:bg-franklin-20 lg:block">Chipotle says ‘most’ of its restaurants were infected with credit card stealing malware</h1><span class="sticky-nav-trigger"></span><div class="flex flex-col lg:flex-row-reverse lg:justify-end"><div class="flex-col lg:flex lg:ml-40"><div class="mb-24 grow"><h1 class="inline font-polysans text-22 font-bold leading-110 md:text-33 lg:hidden">Chipotle says ‘most’ of its restaurants were infected with credit card stealing malware</h1><span class="font-polysans text-22 font-light leading-110 md:text-30 lg:block"><span class="text-blurple"> / </span><h2 class="inline selection:bg-franklin-20">exe.coli</h2></span></div><div><div class="mb-16 w-[200px] border-t border-gray-bd lg:hidden"></div><div class="mb-2 text-blurple [&>p>span:first-child]:text-gray-13 [&_.duet--article-byline-and]:text-gray-13"><p class="duet--article--article-byline max-w-[550px] font-polysans text-12 leading-120"><span>By</span> <span><span class="duet--article-byline-and"></span> <span class="font-medium"><a class="hover:shadow-underline-inherit" href="/authors/natt-garun">Natt Garun</a></span></span></p></div><div class="duet--article--date-and-comments mb-20 inline-block font-polysans text-12 text-gray-5a"><time dateTime="2017-05-26T19:49:16.000Z" class="duet--article--timestamp font-polysans text-12"> May 26, 2017, 7:49 PM UTC</time></div><div class="mb-24 flex lg:mb-0 lg:mb-0"><div class="flex"><div><h2 class="sr-only">Share this story</h2><ul class="duet--article--share-buttons flex leading-[0]"><li class="mr-8"><div class="relative flex items-center"><button aria-label="Copy link" class="rounded-full bg-transparent transition shadow-border-gray-d3 hover:bg-blurple hover:shadow-border-blurple"><svg width="30" height="30" class="transition fill-blurple hover:fill-white" viewBox="0 0 30 30" xmlns="http://www.w3.org/2000/svg"><path d="M13.7876 20.18C12.6943 21.2733 10.9133 21.2733 9.81998 20.18C8.72669 19.0867 8.72666 17.3056 9.81998 16.2123L12.0243 14.0081C13.1176 12.9147 14.8986 12.9147 15.9919 14.0081C16.0816 14.0954 16.1326 14.2149 16.1335 14.34C16.1343 14.4651 16.085 14.5854 15.9965 14.6739C15.9081 14.7624 15.7877 14.8118 15.6627 14.8109C15.5376 14.81 15.418 14.759 15.3306 14.6693C14.5922 13.9309 13.4239 13.9309 12.6855 14.6693L10.4812 16.8736C9.74277 17.6121 9.74277 18.7803 10.4812 19.5188C11.2197 20.2572 12.3879 20.2571 13.1264 19.5188L15.2204 17.4246V17.4247C15.3077 17.335 15.4273 17.284 15.5525 17.2832C15.6776 17.2823 15.7978 17.3317 15.8863 17.4202C15.9747 17.5087 16.0241 17.6289 16.0232 17.7541C16.0224 17.8792 15.9714 17.9987 15.8817 18.086L13.7876 20.18ZM17.9757 15.9919C16.8824 17.0852 15.1014 17.0852 14.0081 15.9919V15.992C13.9184 15.9047 13.8674 15.7852 13.8665 15.6601C13.8658 15.5349 13.915 15.4147 14.0035 15.3262C14.092 15.2377 14.2123 15.1883 14.3374 15.1892C14.4626 15.19 14.582 15.241 14.6694 15.3307C15.4078 16.0692 16.5761 16.0692 17.3145 15.3307L19.5188 13.1265C20.2572 12.388 20.2572 11.2197 19.5188 10.4813C18.7803 9.74283 17.6121 9.74283 16.8736 10.4813L14.7796 12.5753C14.6923 12.665 14.5727 12.7161 14.4475 12.717C14.3224 12.7179 14.2022 12.6685 14.1137 12.58C14.0252 12.4915 13.9758 12.3712 13.9767 12.246C13.9775 12.1208 14.0285 12.0012 14.1183 11.914L16.2124 9.82001C17.3057 8.72668 19.0867 8.72668 20.18 9.82001C21.2733 10.9133 21.2733 12.6944 20.18 13.7877L17.9757 15.992L17.9757 15.9919Z"></path></svg></button></div></li><li class="mr-8"><button aria-label="Share on Facebook" class="rounded-full bg-transparent transition shadow-border-gray-d3 hover:bg-blurple hover:shadow-border-blurple"><svg width="30" height="30" class="transition fill-blurple hover:fill-white" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 30 30"><path d="M17.407 15.6999L17.7398 13.5442H15.6561V12.1455C15.6561 11.5562 15.9467 10.9806 16.8808 10.9806H17.8286V9.14574C17.8286 9.14574 16.9685 9 16.1464 9C14.4304 9 13.3083 10.0317 13.3083 11.9012V13.5442H11.4V15.6999H13.3083V20.9098C13.6908 20.9696 14.0828 21 14.4822 21C14.8816 21 15.2736 20.9685 15.6561 20.9098V15.6999H17.407Z"></path></svg></button></li><li class=""><button aria-label="Share on Threads" class="rounded-full bg-transparent transition shadow-border-gray-d3 hover:bg-blurple hover:shadow-border-blurple"><svg class="transition fill-blurple hover:fill-white" width="30" height="30" viewBox="-5 -5 25 25" fill="none" xmlns="http://www.w3.org/2000/svg"><title>Threads</title><path d="M10.9012 7.56177C10.8503 7.53699 10.7987 7.51315 10.7464 7.49032C10.6553 5.78364 9.73809 4.80656 8.19801 4.79656C8.19104 4.79652 8.1841 4.79652 8.17712 4.79652C7.25596 4.79652 6.48984 5.19631 6.0183 5.92379L6.86529 6.51455C7.21755 5.97114 7.77038 5.8553 8.17752 5.8553C8.18223 5.8553 8.18695 5.8553 8.1916 5.85534C8.69869 5.85863 9.08134 6.00854 9.329 6.30088C9.50923 6.51371 9.62978 6.80781 9.68946 7.17899C9.23987 7.10129 8.75364 7.07741 8.23386 7.10771C6.76962 7.19346 5.8283 8.06174 5.89152 9.26825C5.9236 9.88025 6.22346 10.4068 6.73583 10.7507C7.16904 11.0414 7.72697 11.1836 8.30684 11.1514C9.07261 11.1088 9.67336 10.8117 10.0925 10.2685C10.4108 9.856 10.6121 9.32144 10.701 8.64787C11.0659 8.87181 11.3364 9.1665 11.4857 9.52075C11.7397 10.1229 11.7545 11.1125 10.9604 11.9192C10.2646 12.626 9.42828 12.9318 8.1643 12.9412C6.76222 12.9306 5.70184 12.4734 5.01241 11.5823C4.36681 10.7479 4.03317 9.54262 4.02072 8C4.03317 6.45736 4.36681 5.2521 5.01241 4.41767C5.70184 3.52656 6.7622 3.06938 8.16428 3.05878C9.57654 3.06946 10.6554 3.52884 11.3712 4.42425C11.7222 4.86335 11.9868 5.41555 12.1613 6.05939L13.1538 5.79014C12.9424 4.99764 12.6097 4.31473 12.1569 3.74838C11.2392 2.60042 9.89705 2.0122 8.16774 2H8.16082C6.43504 2.01215 5.10793 2.60261 4.21638 3.75496C3.42303 4.7804 3.01379 6.20723 3.00004 7.99578L3 8L3.00004 8.00422C3.01379 9.79275 3.42303 11.2196 4.21638 12.2451C5.10793 13.3974 6.43504 13.9879 8.16082 14H8.16774C9.70206 13.9892 10.7836 13.5808 11.6745 12.6757C12.8402 11.4916 12.8051 10.0074 12.4209 9.09631C12.1452 8.44294 11.6197 7.91226 10.9012 7.56177ZM8.25202 10.0942C7.61027 10.1309 6.94357 9.83806 6.91069 9.21075C6.88632 8.74563 7.23625 8.22663 8.2914 8.1648C8.41224 8.15771 8.53082 8.15425 8.6473 8.15425C9.03057 8.15425 9.38912 8.19211 9.7151 8.26456C9.59351 9.80844 8.88033 10.0591 8.25202 10.0942Z"></path><path d="M10.9012 7.56177C10.8503 7.53699 10.7987 7.51315 10.7464 7.49032C10.6553 5.78364 9.73809 4.80656 8.19801 4.79656C8.19104 4.79652 8.1841 4.79652 8.17712 4.79652C7.25596 4.79652 6.48984 5.19631 6.0183 5.92379L6.86529 6.51455C7.21755 5.97114 7.77038 5.8553 8.17752 5.8553C8.18223 5.8553 8.18695 5.8553 8.1916 5.85534C8.69869 5.85863 9.08134 6.00854 9.329 6.30088C9.50923 6.51371 9.62978 6.80781 9.68946 7.17899C9.23987 7.10129 8.75364 7.07741 8.23386 7.10771C6.76962 7.19346 5.8283 8.06174 5.89152 9.26825C5.9236 9.88025 6.22346 10.4068 6.73583 10.7507C7.16904 11.0414 7.72697 11.1836 8.30684 11.1514C9.07261 11.1088 9.67336 10.8117 10.0925 10.2685C10.4108 9.856 10.6121 9.32144 10.701 8.64787C11.0659 8.87181 11.3364 9.1665 11.4857 9.52075C11.7397 10.1229 11.7545 11.1125 10.9604 11.9192C10.2646 12.626 9.42828 12.9318 8.1643 12.9412C6.76222 12.9306 5.70184 12.4734 5.01241 11.5823C4.36681 10.7479 4.03317 9.54262 4.02072 8C4.03317 6.45736 4.36681 5.2521 5.01241 4.41767C5.70184 3.52656 6.7622 3.06938 8.16428 3.05878C9.57654 3.06946 10.6554 3.52884 11.3712 4.42425C11.7222 4.86335 11.9868 5.41555 12.1613 6.05939L13.1538 5.79014C12.9424 4.99764 12.6097 4.31473 12.1569 3.74838C11.2392 2.60042 9.89705 2.0122 8.16774 2H8.16082C6.43504 2.01215 5.10793 2.60261 4.21638 3.75496C3.42303 4.7804 3.01379 6.20723 3.00004 7.99578L3 8L3.00004 8.00422C3.01379 9.79275 3.42303 11.2196 4.21638 12.2451C5.10793 13.3974 6.43504 13.9879 8.16082 14H8.16774C9.70206 13.9892 10.7836 13.5808 11.6745 12.6757C12.8402 11.4916 12.8051 10.0074 12.4209 9.09631C12.1452 8.44294 11.6197 7.91226 10.9012 7.56177ZM8.25202 10.0942C7.61027 10.1309 6.94357 9.83806 6.91069 9.21075C6.88632 8.74563 7.23625 8.22663 8.2914 8.1648C8.41224 8.15771 8.53082 8.15425 8.6473 8.15425C9.03057 8.15425 9.38912 8.19211 9.7151 8.26456C9.59351 9.80844 8.88033 10.0591 8.25202 10.0942Z"></path></svg></button></li></ul></div><span class="duet--article--lede-share-tools-separator mx-16 mt-4 h-[20px] border-l border-gray-d3"></span><div class=""><button title="Go to comments" class="duet--article--comments-link text-0 inline-block text-16 md:inline"><span class="inline-block h-18 align-text-bottom font-polysans text-12 font-medium leading-[18px] text-blurple"><span class="coral-count" data-coral-id="a7c571f5-7a8d-4ba0-bb16-924f04959625" data-coral-url="https://www.theverge.com/2017/5/26/15701776/chipotle-restaurants-hacked-credit-card-malware"></span></span></button></div></div></div><div style="margin:0" class="_1gsaw2w0 _1gsaw2w1" data-concert="article_sponsorship"></div></div></div><div class="w-full shrink-0 lg:basis-[600px]"><div class="md:pl-0"><figure class="duet--article--lede-image w-full"><span style="box-sizing:border-box;display:block;overflow:hidden;width:initial;height:initial;background:none;opacity:1;border:0;margin:0;padding:0;position:relative"><span style="box-sizing:border-box;display:block;width:initial;height:initial;background:none;opacity:1;border:0;margin:0;padding:0;padding-top:66.63636363636364%"></span><img alt="chipotle" sizes="(max-width: 768px) calc(100vw - 100px), (max-width: 1180px) 700px, 600px" srcSet="https://duet-cdn.vox-cdn.com/thumbor/0x0:1100x733/16x11/filters:focal(550x367:551x368):format(webp)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg 16w, https://duet-cdn.vox-cdn.com/thumbor/0x0:1100x733/32x21/filters:focal(550x367:551x368):format(webp)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg 32w, https://duet-cdn.vox-cdn.com/thumbor/0x0:1100x733/48x32/filters:focal(550x367:551x368):format(webp)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg 48w, https://duet-cdn.vox-cdn.com/thumbor/0x0:1100x733/64x43/filters:focal(550x367:551x368):format(webp)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg 64w, https://duet-cdn.vox-cdn.com/thumbor/0x0:1100x733/96x64/filters:focal(550x367:551x368):format(webp)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg 96w, https://duet-cdn.vox-cdn.com/thumbor/0x0:1100x733/128x85/filters:focal(550x367:551x368):format(webp)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg 128w, https://duet-cdn.vox-cdn.com/thumbor/0x0:1100x733/256x171/filters:focal(550x367:551x368):format(webp)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg 256w, https://duet-cdn.vox-cdn.com/thumbor/0x0:1100x733/376x251/filters:focal(550x367:551x368):format(webp)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg 376w, https://duet-cdn.vox-cdn.com/thumbor/0x0:1100x733/384x256/filters:focal(550x367:551x368):format(webp)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg 384w, https://duet-cdn.vox-cdn.com/thumbor/0x0:1100x733/415x277/filters:focal(550x367:551x368):format(webp)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg 415w, https://duet-cdn.vox-cdn.com/thumbor/0x0:1100x733/480x320/filters:focal(550x367:551x368):format(webp)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg 480w, https://duet-cdn.vox-cdn.com/thumbor/0x0:1100x733/540x360/filters:focal(550x367:551x368):format(webp)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg 540w, https://duet-cdn.vox-cdn.com/thumbor/0x0:1100x733/640x427/filters:focal(550x367:551x368):format(webp)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg 640w, https://duet-cdn.vox-cdn.com/thumbor/0x0:1100x733/750x500/filters:focal(550x367:551x368):format(webp)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg 750w, https://duet-cdn.vox-cdn.com/thumbor/0x0:1100x733/828x552/filters:focal(550x367:551x368):format(webp)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg 828w, https://duet-cdn.vox-cdn.com/thumbor/0x0:1100x733/1080x720/filters:focal(550x367:551x368):format(webp)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg 1080w, https://duet-cdn.vox-cdn.com/thumbor/0x0:1100x733/1200x800/filters:focal(550x367:551x368):format(webp)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg 1200w, https://duet-cdn.vox-cdn.com/thumbor/0x0:1100x733/1440x960/filters:focal(550x367:551x368):format(webp)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg 1440w, https://duet-cdn.vox-cdn.com/thumbor/0x0:1100x733/1920x1280/filters:focal(550x367:551x368):format(webp)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg 1920w, https://duet-cdn.vox-cdn.com/thumbor/0x0:1100x733/2048x1365/filters:focal(550x367:551x368):format(webp)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg 2048w, https://duet-cdn.vox-cdn.com/thumbor/0x0:1100x733/2400x1600/filters:focal(550x367:551x368):format(webp)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg 2400w" src="https://duet-cdn.vox-cdn.com/thumbor/0x0:1100x733/2400x1600/filters:focal(550x367:551x368):format(webp)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg" decoding="async" data-nimg="responsive" style="position:absolute;top:0;left:0;bottom:0;right:0;box-sizing:border-box;padding:0;border:none;margin:auto;display:block;width:0;height:0;min-width:100%;max-width:100%;min-height:100%;max-height:100%;object-fit:cover"/></span></figure></div></div></div></div><div class="relative md:mx-auto md:flex md:max-w-container-md lg:max-w-none"><div class="duet--article--article-body-component-container clearfix sm:ml-auto md:ml-100 md:max-w-article-body lg:mx-100"><div><div class="duet--article--article-body-component"><p class="duet--article--dangerously-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leading-160 -tracking-1 selection:bg-franklin-20 dark:text-white dark:selection:bg-blurple [&_a:hover]:shadow-highlight-franklin dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-underline-black dark:[&_a]:shadow-underline-white">Chipotle Mexican Grill today announced that it has identified the malware that was responsible for the credit card hack <a href="http://fortune.com/2017/04/25/chipotles-restaurants-hacked/">earlier this year</a>. Alongside the news, it also released <a href="https://www.chipotle.com/security#security">a new tool </a>to help customers check whether the restaurant they visited was involved. When pressed by <em>The Verge</em>, Chipotle did not disclose the exact numbers of restaurants affected, but said “most” locations nationwide may have been involved.</p></div><div class="duet--article--article-body-component"><p class="duet--article--dangerously-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leading-160 -tracking-1 selection:bg-franklin-20 dark:text-white dark:selection:bg-blurple [&_a:hover]:shadow-highlight-franklin dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-underline-black dark:[&_a]:shadow-underline-white">“The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device,” Chipotle said in a statement. “There is no indication that other customer information was affected.”</p></div><div class="duet--article--article-body-component clear-both block md:float-left md:mr-30 md:w-[320px] lg:-ml-100"><div class="duet--article--article-pullquote mb-20"><div class="mb-10 h-[22px] w-[65px] bg-franklin"></div><p class="duet--article--dangerously-set-cms-markup relative bg-repeating-lines-dark bg-[length:1px_1.2em] pb-8 font-polysans text-28 font-medium leading-120 tracking-1 selection:bg-franklin-20 dark:bg-repeating-lines-light dark:text-white dark:selection:bg-blurple">every state Chipotle operates in had restaurants that were breached</p></div></div><div class="duet--article--article-body-component"><p class="duet--article--dangerously-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leading-160 -tracking-1 selection:bg-franklin-20 dark:text-white dark:selection:bg-blurple [&_a:hover]:shadow-highlight-franklin dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-underline-black dark:[&_a]:shadow-underline-white">We browsed through the tool and found that every state Chipotle operates in had restaurants that were breached, including most major cities. The restaurants were vulnerable in various time frames between March 24th and April 18th, 2017. Chipotle also operates another chain called Pizzeria Locale, which was affected by the hack as well. (The list of identified restaurants can be found <a href="https://pizzerialocale.com/security">here</a>, which includes locations in Kansas, Missouri, Colorado, and Ohio.) </p></div><div class="duet--article--article-body-component"><p class="duet--article--dangerously-set-cms-markup duet--article--standard-paragraph mb-20 font-fkroman text-18 leading-160 -tracking-1 selection:bg-franklin-20 dark:text-white dark:selection:bg-blurple [&_a:hover]:shadow-highlight-franklin dark:[&_a:hover]:shadow-highlight-blurple [&_a]:shadow-underline-black dark:[&_a]:shadow-underline-white">Chipotle noted that not all locations have been identified, but it’s a starting guide to check whether your visit lines up with the breached period. If so, the company suggests you file a police report, contact the Federal Trade Commission, or place a fraud alert or security freeze on your bank account. The latter may require out-of-pocket charges, which the customer is liable for. Chipotle isn’t legally required to offer credit protection for affected customers, making it just another one of the <a href="https://www.eater.com/2016/7/7/12118194/chipotle-e-coli-manhattan-not-again">many</a> <a href="http://www.foxnews.com/food-drink/2017/05/26/chipotle-accused-covering-up-for-manager-who-put-hidden-camera-womens-bathroom.html">things</a> Chipotle can <a href="http://www.delish.com/food-news/a46459/chipotle-sued-over-sexual-harassment-and-discrimination/">screw you over</a> for.</p></div></div><div class="mb-40 mt-30"><button class="duet--article--comments-button group inline-flex h-40 w-full items-center justify-center rounded-[2px] border-[1px] border-solid border-blurple font-polysans-mono text-11 font-light uppercase tracking-12 text-blurple hover:bg-blurple hover:text-white md:w-auto md:px-30"><svg class="mr-10 inline pt-2" width="12" height="14" fill="none" viewBox="0 0 12 12" stroke-width="1px" xmlns="http://www.w3.org/2000/svg"><title>Comments</title><path d="M2.4 9.1h-.207l-.147.146L.5 10.793V1.2c0-.384.316-.7.7-.7h9.6c.384 0 .7.316.7.7v7.2c0 .384-.316.7-.7.7H2.4Z" stroke="currentColor"></path></svg><span class="coral-count" data-coral-id="a7c571f5-7a8d-4ba0-bb16-924f04959625" data-coral-url="https://www.theverge.com/2017/5/26/15701776/chipotle-restaurants-hacked-credit-card-malware"></span></button></div></div><div class="duet--layout--rail max-h-[8000px] max-w-[300px] hidden z-0 text-white lg:flex lg:flex-1 lg:flex-col"><div class="flex-auto"><div style="min-height:250px;min-width:300px;position:sticky;top:90px;margin-bottom:40px" class="_1gsaw2w0 _1gsaw2w5" data-concert="medium_rectangle_variable"></div></div><div class="flex-auto"><div class="duet--recirculation--list-breaker-standard sticky m-auto my-50 rounded-[4px] lg:mb-40 lg:mt-0 bg-white top-90 w-mobile-breaker p-20"><div class="absolute right-[-25px] top-0 h-full rotate-180 whitespace-nowrap text-center font-manuka text-[168px] font-ultra leading-100 text-franklin opacity-50" style="writing-mode:vertical-rl;text-orientation:sideways">Most Popular</div><div class="relative z-10 mb-20 flex justify-between font-polysans text-11 font-medium uppercase tracking-15 text-blurple">Most Popular</div><ol class="styled-counter styled-counter-standard md:w-full w-full"><li class="leading-120 text-blurple"><a class="text-black hover:text-blurple" href="/2024/11/22/24303294/sirius-xm-cancellation-process-illegal-ny-ag"><h2 class="mb-4 inline w-[181px] font-polysans text-16 font-bold tracking-1">Judge rules SiriusXM’s annoying cancellation process is illegal</h2></a><hr class="-mx-28 my-20 w-[calc(50%+14px)] border text-black/0 border-b-blurple"/></li><li class="leading-120 text-blurple"><a class="text-black hover:text-blurple" href="/2024/11/22/24303594/elon-musk-harassing-federal-workers-x"><h2 class="mb-4 inline w-[181px] font-polysans text-16 font-bold tracking-1">Elon Musk is directing harassment toward individual federal workers</h2></a><hr class="-mx-28 my-20 w-[calc(50%+14px)] border text-black/0 border-b-blurple"/></li><li class="leading-120 text-blurple"><a class="text-black hover:text-blurple" href="/2024/11/22/24303299/baidu-apollo-go-rt6-robotaxi-unit-economics-waymo"><h2 class="mb-4 inline w-[181px] font-polysans text-16 font-bold tracking-1">Baidu’s supercheap robotaxis should scare the hell out of the US</h2></a><hr class="-mx-28 my-20 w-[calc(50%+14px)] border text-black/0 border-b-blurple"/></li><li class="leading-120 text-blurple"><a class="text-black hover:text-blurple" href="/2024/11/22/24302381/apple-smart-display-homepad-smart-home-control"><h2 class="mb-4 inline w-[181px] font-polysans text-16 font-bold tracking-1">Apple’s first smart display needs to make the smart home just work</h2></a><hr class="-mx-28 my-20 w-[calc(50%+14px)] border text-black/0 border-b-blurple"/></li><li class="leading-120 text-blurple"><a class="text-black hover:text-blurple" href="/24303351/apple-imac-m4-review-expensive-beautiful-niche"><h2 class="mb-4 inline w-[181px] font-polysans text-16 font-bold tracking-1">The iMac M4 wasn’t built for this world</h2></a><hr class="-mx-28 my-20 w-[calc(50%+14px)] border text-black/0 border-b-blurple"/></li></ol></div></div><div class="flex-auto"><div class="sticky top-90"><div style="min-height:250px;min-width:300px;margin-bottom:40px" class="_1gsaw2w0 _1gsaw2w5" data-concert="medium_rectangle_gamestop"></div><div style="min-height:100px;min-width:300px;padding-bottom:40px" class="_1gsaw2w0 _1gsaw2w5" data-concert="connatix_right_rail"></div></div></div><div class="flex-auto"><aside class="sticky top-90 pb-40 duet--article--rail"><div class="mb-8 hidden md:block"><div><form class=""><div class="duet--cta--newsletter flex w-full flex-col border-t px-12 pt-16 font-polysans-mono text-14 font-light leading-130 -tracking-2 md:text-15 text-blurple border-blurple"><div class="mb-10"><h2 class="inline font-medium">Verge Deals</h2><p class="inline"> / <span class="duet--article--dangerously-set-cms-markup">Sign up for Verge Deals to get deals on products we've tested sent to your inbox weekly.</span></p></div><div><fieldset><div class="mb-4 flex"><label class="sr-only" for="email">Email (required)</label><input id="email" type="email" name="email" placeholder="Enter your email" class="mr-8 rounded-sm border px-10 font-polysans text-15 font-light focus:outline-none w-full placeholder:text-blurple bg-white"/><button type="submit" class="whitespace-nowrap rounded-sm border px-18 py-12 text-12 font-medium uppercase tracking-12 no-underline border-blurple hover:bg-blurple hover:text-white">Sign up</button></div></fieldset><div class="mt-2 font-polysans text-11 leading-110">By submitting your email, you agree to our <a href="https://www.voxmedia.com/legal/terms-of-use" class="underline">Terms</a> and <a href="https://www.voxmedia.com/legal/privacy-notice" class="underline">Privacy Notice</a>. This site is protected by reCAPTCHA and the Google <a href="https://policies.google.com/privacy" class="underline">Privacy Policy</a> and <a href="https://policies.google.com/terms" class="underline">Terms of Service</a> apply.</div></div></div></form></div></div></aside></div><div class="duet--ad--native-ad-rail hidden flex-auto" data-native-ad-id="container"><div class="sticky top-90 mb-40"><div class="hidden"><div class="dynamic-native-ad-native_ad_latest"></div></div><div class="flex items-center text-black"><div class="w-[210px]"><div class="mb-6"><span class="border-b border-b-blurple pb-6 font-polysans text-10 font-medium uppercase leading-140 tracking-15 text-gray-5a">From our sponsor</span></div><h3 class="font-polysans text-20 leading-110 tracking-1"><a data-native-ad-id="title" href="http://theverge.com" class="hover:shadow-underline-black"></a></h3><a href="http://theverge.com"><div class="mb-4 flex items-center text-gray-31"><span data-native-ad-id="preamble" class="font-polysans text-10 font-medium uppercase leading-140 tracking-15">Advertiser Content From</span><img data-native-ad-id="sponsored_logo" class="max-h-[24px] max-w-[120px] pl-8" alt="Sponsor logo" src="/icons/native-ad-placeholder.png"/></div></a></div><div><img data-native-ad-id="thumbnail" class="max-w-[75px] pl-8" alt="Sponsor thumbnail" src="/icons/native-ad-placeholder.png"/></div></div></div></div><div class="flex-auto"><div style="min-height:250px;min-width:300px;position:sticky;top:90px;margin-bottom:40px" class="_1gsaw2w0 _1gsaw2w5" data-concert="btf_medium_rectangle_variable_article"></div></div></div><div style="position:absolute;top:8200px;right:10px;bottom:40px" class="_1gsaw2w0 _1gsaw2w5" data-concert="btf_medium_rectangle_variable_feature_extended_sticky"></div></div></article></main><div style="min-height:250px;min-width:300px;margin-bottom:40px" class="_1gsaw2w0 _1gsaw2w4" data-concert="medium_rectangle_gamestop"></div></div></div><footer class="duet--navigation--footer bg-gray-13 pb-70 pt-20 text-center font-polysans text-10 uppercase leading-[19px] tracking-[0.1em] text-white md:pt-40 lg:text-left lg:text-12 lg:leading-[21px]"><div class="mx-auto max-w-container-lg"><a href="/" class="mx-auto mb-24 inline-block w-full overflow-hidden lg:mx-0"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 309 70" role="img" class="relative mx-auto w-[calc(100vw-40px)] fill-white md:static md:w-[204px] lg:ml-0 lg:w-[398px]" width="100%" height="100%" fill="none"><title>The Verge</title><desc>The Verge logo.</desc><path d="m231.196 17.897-.302 9.071c-10.592-.726-13.618 1.996-13.618 10.885V39h-9.078V18.441h9.078v5.866c2.724-4.777 6.416-6.954 13.92-6.41ZM15.131 54.786h9.078V19.71h-9.078v35.075Zm44.968-36.828c-6.355 0-10.228 2.842-12.286 5.986V4.593H0v8.466h39.34V39h8.654c0-7.438 4.298-12.697 9.563-12.697 4.54 0 6.597 2.237 6.597 10.28v18.203h9.078V33.318c0-10.28-5.265-15.36-13.133-15.36ZM95.807 47.83c-5.507 0-9.078-3.326-9.683-8.829H77.59c.847 9.676 7.202 16.51 18.157 16.51 8.473 0 13.254-3.81 15.736-9.555l-7.687-3.387c-1.15 3.447-3.268 5.261-7.989 5.261Zm-.363-29.692a19.226 19.226 0 0 0-9.32 2.177l4.357 6.168c1.634-.846 3.39-1.27 5.266-1.21 5.084 0 7.686 3.327 8.049 7.68H95.02v6.048h17.31c.121-.907.182-1.754.182-2.66.06-13.184-8.655-18.203-17.068-18.203ZM185.32 47.83c-5.507 0-9.078-3.326-9.683-8.829h-8.534c.847 9.676 7.202 16.51 18.157 16.51 8.473 0 13.254-3.81 15.736-9.555l-7.687-3.387c-1.21 3.447-3.328 5.261-7.989 5.261Zm-.302-29.692a19.226 19.226 0 0 0-9.321 2.177l4.358 6.168c1.634-.846 3.389-1.27 5.265-1.21 5.084 0 7.687 3.327 8.05 7.68h-8.776v6.048h17.31c.121-.907.181-1.754.181-2.66.061-13.184-8.655-18.203-17.067-18.203ZM291.416 47.83c-5.507 0-9.078-3.326-9.683-8.829h-8.534c.847 9.676 7.202 16.51 18.157 16.51 8.473 0 13.254-3.81 15.736-9.555l-7.687-3.387c-1.21 3.447-3.328 5.261-7.989 5.261Zm-.484-29.692a19.225 19.225 0 0 0-9.32 2.177l4.357 6.168c1.635-.846 3.39-1.27 5.266-1.21 5.084 0 7.686 3.327 8.049 7.68h-8.775v6.048h17.309c.121-.907.182-1.754.182-2.66.06-13.184-8.655-18.203-17.068-18.203ZM117.172.299 133.5 39h9.926L130.971 8.221h16.099V.36L117.172.3Zm48.418.06L146.888 47.71l-2.784 7.076h9.502L176.06.36h-10.47Zm83.461 53.58c3.873 0 7.081-1.089 9.32-2.963l-3.631-5.745c-1.15.484-2.421.665-3.692.665-4.963 0-7.808-2.963-8.776-6.894h-8.897c1.211 8.406 7.263 14.937 15.676 14.937Zm11.196-30.418c-2.057-3.265-6.234-5.624-12.044-5.624-5.689-.06-10.954 3.024-13.738 8.043l7.565 4.838c1.392-2.903 4.116-4.838 8.292-4.838 5.931 0 9.925 4.596 9.925 10.038 0 1.029-.121 2.057-.423 3.024h9.502v-20.5h-9.079v5.019Zm-8.775 38.642c-5.871 0-8.05-2.842-8.474-6.168h-8.654c.181 6.35 4.418 13.304 17.309 13.304 8.715 0 14.404-4.354 16.765-10.885l-8.171-2.842c-1.15 4.233-4.297 6.591-8.775 6.591Z"></path></svg></a><div class="flex flex-col lg:flex-row"><div class="mb-4 sm:mb-0 sm:basis-1/3 lg:basis-2/3"><div class="flex flex-col"><ul class="mb-16 flex list-inside flex-wrap justify-center pl-20 lg:justify-start"><li><button id="ot-sdk-btn" class="ot-sdk-show-settings">Cookie Settings</button></li><li class="mr-8 list-none before:mr-8 before:inline-block before:content-['/'] before:text-franklin before:content-['/']"><a rel="nofollow" class="hover:shadow-underline-inherit" href="https://www.voxmedia.com/legal/terms-of-use">Terms of Use</a></li><li class="mr-8 list-none before:mr-8 before:inline-block before:content-['/'] before:text-franklin before:content-['/']"><a rel="nofollow" class="hover:shadow-underline-inherit" href="https://www.voxmedia.com/legal/privacy-notice">Privacy Notice</a></li><li class="mr-8 list-none before:mr-8 before:inline-block before:content-['/'] before:text-franklin before:content-['/']"><a rel="nofollow" class="hover:shadow-underline-inherit" href="https://www.voxmedia.com/legal/cookie-policy">Cookie Policy</a></li><li class="mr-8 list-none before:mr-8 before:inline-block before:content-['/'] before:text-franklin before:content-['/']"><a rel="nofollow" class="hover:shadow-underline-inherit" href="https://www.voxmedia.com/pages/licensing">Licensing FAQ</a></li><li class="mr-8 list-none before:mr-8 before:inline-block before:content-['/'] before:text-franklin before:content-['/']"><a rel="nofollow" class="hover:shadow-underline-inherit" href="https://www.voxmedia.com/legal/accessibility">Accessibility</a></li><li class="mr-8 list-none before:mr-8 before:inline-block before:content-['/'] before:text-franklin before:content-['/']"><a rel="nofollow" class="hover:shadow-underline-inherit" href="https://status.voxmedia.com">Platform Status</a></li><li class="mr-8 list-none before:mr-8 before:inline-block before:content-['/'] before:text-franklin before:content-['/']"><a rel="nofollow" class="hover:shadow-underline-inherit" href="/pages/how-we-rate">How We Rate and Review Products</a></li></ul><ul class="mb-16 flex list-inside flex-wrap justify-center pl-20 lg:justify-start"><li class="mr-8 list-none before:mr-8 before:inline-block before:content-['/'] before:text-pernod before:hidden"><a rel="nofollow" class="hover:shadow-underline-inherit" href="/contact-the-verge">Contact</a></li><li class="mr-8 list-none before:mr-8 before:inline-block before:content-['/'] before:text-pernod before:content-['/']"><a rel="nofollow" class="hover:shadow-underline-inherit" href="/c/tech/22579076/how-to-tip-the-verge-email-signal-and-more">Tip Us</a></li><li class="mr-8 list-none before:mr-8 before:inline-block before:content-['/'] before:text-pernod before:content-['/']"><a rel="nofollow" class="hover:shadow-underline-inherit" href="/community-guidelines">Community Guidelines</a></li><li class="mr-8 list-none before:mr-8 before:inline-block before:content-['/'] before:text-pernod before:content-['/']"><a rel="nofollow" class="hover:shadow-underline-inherit" href="/about-the-verge">About</a></li><li class="mr-8 list-none before:mr-8 before:inline-block before:content-['/'] before:text-pernod before:content-['/']"><a rel="nofollow" class="hover:shadow-underline-inherit" href="/ethics-statement">Ethics Statement</a></li></ul></div></div><div class="lg:basis-1/3"><p class="mb-8 font-bold uppercase">The Verge is a vox media network</p><ul class="mb-8 flex list-inside flex-wrap justify-center lg:justify-start"><li class="mr-8 list-none leading-5 before:mr-8 before:inline-block before:text-hot-brick before:hidden"><a rel="nofollow" class="hover:shadow-underline-inherit" href="https://www.voxmedia.com/vox-advertising">Advertise with us</a></li><li class="mr-8 list-none leading-5 before:mr-8 before:inline-block before:text-hot-brick before:content-['/']"><a rel="nofollow" class="hover:shadow-underline-inherit" href="https://jobs.voxmedia.com">Jobs @ Vox Media</a></li></ul><p class="font-fkroman tracking-12 text-white">© 2024 <a rel="nofollow" href="https://www.voxmedia.com">Vox Media</a>, LLC. All Rights Reserved</p></div></div></div></footer></div><script id="__NEXT_DATA__" type="application/json">{"props":{"pageProps":{"hydration":{"responses":[{"operationName":"StandardArticleLayoutQuery","variables":{"uid":"Entry:a7c571f5-7a8d-4ba0-bb16-924f04959625","communityId":372},"data":{"entryRevision":{"__typename":"Entry","communityGroups":[],"uid":"Entry:a7c571f5-7a8d-4ba0-bb16-924f04959625","author":{"_id":3978679,"fullName":"Natt Garun","authorProfile":{"url":"https://www.theverge.com/authors/natt-garun","shortBio":null,"uid":"AuthorProfile:23967"}},"uuid":"a7c571f5-7a8d-4ba0-bb16-924f04959625","type":"STORY","community":{"_id":372,"domain":"theverge.com","network":{"domain":"theverge.com"},"placeholderImageUrl":"https://cdn.vox-cdn.com/uploads/network/placeholder_image/2/The_Verge.644.jpg","slug":"verge","name":"The Verge","googleAmpLogo":{"url":"https://cdn.vox-cdn.com/uploads/chorus_asset/file/24015294/verge_duet_google_news.png","width":250,"height":50},"communityID":372},"title":"Chipotle says ‘most’ of its restaurants were infected with credit card stealing malware","seoHeadline":null,"socialHeadline":null,"promoHeadline":null,"legacyId":15465817,"hasAffiliateLinks":false,"publishDate":"2017-05-26T19:49:16.000Z","originalPublishDate":"2017-05-26T19:49:16.000Z","wordCount":282,"streams":null,"contributors":[],"primaryCampaignGroup":null,"campaignGroups":[],"primaryCommunityGroup":{"slug":"front-page","parentEntryGroup":null,"name":"Front Page","isInternal":false},"primaryPackageGroup":null,"__isEntryRevision":"Entry","body":{"components":[{"__typename":"EntryBodyParagraph","placement":{"id":"E951wq","alignment":null},"__isEntryBodyComponent":"EntryBodyParagraph","contents":{"html":"Chipotle Mexican Grill today announced that it has identified the malware that was responsible for the credit card hack \u003ca href=\"http://fortune.com/2017/04/25/chipotles-restaurants-hacked/\"\u003eearlier this year\u003c/a\u003e. Alongside the news, it also released \u003ca href=\"https://www.chipotle.com/security#security\"\u003ea new tool \u003c/a\u003eto help customers check whether the restaurant they visited was involved. When pressed by \u003cem\u003eThe Verge\u003c/em\u003e, Chipotle did not disclose the exact numbers of restaurants affected, but said “most” locations nationwide may have been involved."},"dropcap":false,"endmark":false,"lead":false},{"__typename":"EntryBodyParagraph","placement":{"id":"Je45Tp","alignment":null},"__isEntryBodyComponent":"EntryBodyParagraph","contents":{"html":"“The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device,” Chipotle said in a statement. “There is no indication that other customer information was affected.”"},"dropcap":false,"endmark":false,"lead":false},{"__typename":"EntryBodyPullquote","placement":{"id":"6YBiJd","alignment":"FLOAT_RIGHT"},"__isEntryBodyComponent":"EntryBodyPullquote","quote":{"html":"every state Chipotle operates in had restaurants that were breached"}},{"__typename":"EntryBodyParagraph","placement":{"id":"qLS5CR","alignment":null},"__isEntryBodyComponent":"EntryBodyParagraph","contents":{"html":"We browsed through the tool and found that every state Chipotle operates in had restaurants that were breached, including most major cities. The restaurants were vulnerable in various time frames between March 24th and April 18th, 2017. Chipotle also operates another chain called Pizzeria Locale, which was affected by the hack as well. (The list of identified restaurants can be found \u003ca href=\"https://pizzerialocale.com/security\"\u003ehere\u003c/a\u003e, which includes locations in Kansas, Missouri, Colorado, and Ohio.) "},"dropcap":false,"endmark":false,"lead":false},{"__typename":"EntryBodyParagraph","placement":{"id":"96uR29","alignment":null},"__isEntryBodyComponent":"EntryBodyParagraph","contents":{"html":"Chipotle noted that not all locations have been identified, but it’s a starting guide to check whether your visit lines up with the breached period. If so, the company suggests you file a police report, contact the Federal Trade Commission, or place a fraud alert or security freeze on your bank account. The latter may require out-of-pocket charges, which the customer is liable for. Chipotle isn’t legally required to offer credit protection for affected customers, making it just another one of the \u003ca href=\"https://www.eater.com/2016/7/7/12118194/chipotle-e-coli-manhattan-not-again\"\u003emany\u003c/a\u003e \u003ca href=\"http://www.foxnews.com/food-drink/2017/05/26/chipotle-accused-covering-up-for-manager-who-put-hidden-camera-womens-bathroom.html\"\u003ethings\u003c/a\u003e Chipotle can \u003ca href=\"http://www.delish.com/food-news/a46459/chipotle-sued-over-sexual-harassment-and-discrimination/\"\u003escrew you over\u003c/a\u003e for."},"dropcap":false,"endmark":false,"lead":false}]},"liveCoverageStart":null,"slug":"2017/5/26/15701776/chipotle-restaurants-hacked-credit-card-malware","layoutTemplate":"STANDARD","seoSchema":[{"@context":"http://schema.org/","@type":"NewsArticle","headline":"Chipotle says ‘most’ of its restaurants were infected with credit card stealing malware","description":"exe.coli","datePublished":"2017-05-26T19:49:16.000Z","dateModified":"2017-05-26T19:49:16.000Z","thumbnailUrl":"https://cdn.vox-cdn.com/thumbor/aIjGnIAV3tFpqnpF_F4bqjZ3UsQ=/0x0:1100x733/1400x788/filters:focal(550x367:551x368)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg","author":[{"@type":"Person","name":"Natt Garun","url":"https://www.theverge.com/authors/natt-garun"}],"publisher":{"@type":"Organization","name":"The Verge","logo":{"@type":"ImageObject","url":"https://cdn.vox-cdn.com/uploads/chorus_asset/file/24015294/verge_duet_google_news.png","width":250,"height":50}},"image":[{"@type":"ImageObject","url":"https://cdn.vox-cdn.com/thumbor/aIjGnIAV3tFpqnpF_F4bqjZ3UsQ=/0x0:1100x733/1400x788/filters:focal(550x367:551x368)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg","width":1400,"height":788},{"@type":"ImageObject","url":"https://cdn.vox-cdn.com/thumbor/cdBjjyHBd8bCiPof2hSFqNfKSIE=/0x0:1100x733/1400x1050/filters:focal(550x367:551x368)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg","width":1400,"height":1050},{"@type":"ImageObject","url":"https://cdn.vox-cdn.com/thumbor/QCDvXVA3oPP3ENtZwhRGBLlsdzI=/0x0:1100x733/1400x1400/filters:focal(550x367:551x368)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg","width":1400,"height":1400}],"url":"https://www.theverge.com/2017/5/26/15701776/chipotle-restaurants-hacked-credit-card-malware","articleBody":"Chipotle Mexican Grill today announced that it has identified the malware that was responsible for the credit card hack earlier this year. Alongside the news, it also released a new tool to help customers check whether the restaurant they visited was involved. When pressed by The Verge, Chipotle did not disclose the exact numbers of restaurants affected, but said “most” locations nationwide may have been involved.\n\n“The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device,” Chipotle said in a statement. “There is no indication that other customer information was affected.”\n\n\"every state Chipotle operates in had restaurants that were breached\"\n\nWe browsed through the tool and found that every state Chipotle operates in had restaurants that were breached, including most major cities. The restaurants were vulnerable in various time frames between March 24th and April 18th, 2017. Chipotle also operates another chain called Pizzeria Locale, which was affected by the hack as well. (The list of identified restaurants can be found here, which includes locations in Kansas, Missouri, Colorado, and Ohio.) \n\nChipotle noted that not all locations have been identified, but it’s a starting guide to check whether your visit lines up with the breached period. If so, the company suggests you file a police report, contact the Federal Trade Commission, or place a fraud alert or security freeze on your bank account. The latter may require out-of-pocket charges, which the customer is liable for. Chipotle isn’t legally required to offer credit protection for affected customers, making it just another one of the many things Chipotle can screw you over for.\n"}],"package":null,"url":"https://www.theverge.com/2017/5/26/15701776/chipotle-restaurants-hacked-credit-card-malware","commentsClosed":false,"railComponents":[{"__typename":"EntryRailNewsletter","entryRailNewsletter":{"name":"Verge Deals","slug":"deals"}}],"dek":{"plaintext":"exe.coli"},"leadImage":{"defaultImageUrl":"https://cdn.vox-cdn.com/thumbor/YCmbhcMjQx25iYXt4Vhb830euEA=/0x0:1100x733/1200x628/filters:focal(550x367:551x368)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg","asset":{"title":"chipotle","contentType":"image/jpeg"}},"seoDescription":null,"socialDescription":null,"socialImage":null,"shouldUseHTMLNoindex":false,"shouldUseHTMLNofollow":false,"password":null,"additionalContributors":null,"_id":15465817,"leadComponent":{"__typename":"EntryLeadImage","standard":{"hideCredit":false,"asset":{"title":"chipotle"},"caption":null,"credit":null,"variantUrl":"https://cdn.vox-cdn.com/thumbor/o7ur_HchsFd-jUZr8JR-Uiz2Asc=/0x0:1100x733/2000x1333/filters:focal(550x367:551x368)/cdn1.vox-cdn.com/assets/2807501/ChipUK006_MedRes.jpg"}},"liveCoverageEnd":null,"seoArticleBody":"Chipotle Mexican Grill today announced that it has identified the malware that was responsible for the credit card hack earlier this year. Alongside the news, it also released a new tool to help customers check whether the restaurant they visited was involved. When pressed by The Verge, Chipotle did not disclose the exact numbers of restaurants affected, but said “most” locations nationwide may have been involved.\n\n“The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device,” Chipotle said in a statement. “There is no indication that other customer information was affected.”\n\n\"every state Chipotle operates in had restaurants that were breached\"\n\nWe browsed through the tool and found that every state Chipotle operates in had restaurants that were breached, including most major cities. The restaurants were vulnerable in various time frames between March 24th and April 18th, 2017. Chipotle also operates another chain called Pizzeria Locale, which was affected by the hack as well. (The list of identified restaurants can be found here, which includes locations in Kansas, Missouri, Colorado, and Ohio.) \n\nChipotle noted that not all locations have been identified, but it’s a starting guide to check whether your visit lines up with the breached period. If so, the company suggests you file a police report, contact the Federal Trade Commission, or place a fraud alert or security freeze on your bank account. The latter may require out-of-pocket charges, which the customer is liable for. Chipotle isn’t legally required to offer credit protection for affected customers, making it just another one of the many things Chipotle can screw you over for.\n","stream":null,"visibleNetworkIds":[],"scheduledForExpirationAt":null}}}]},"uid":"Entry:a7c571f5-7a8d-4ba0-bb16-924f04959625","mostPopular":[{"author":{"fullName":"Emma Roth"},"publishDate":"2024-11-22T18:28:03","title":"Judge rules SiriusXM’s annoying cancellation process is illegal","url":"https://www.theverge.com/2024/11/22/24303294/sirius-xm-cancellation-process-illegal-ny-ag","uid":"0"},{"author":{"fullName":"Jay Peters"},"publishDate":"2024-11-23T00:21:36","title":"Elon Musk is directing harassment toward individual federal workers","url":"https://www.theverge.com/2024/11/22/24303594/elon-musk-harassing-federal-workers-x","uid":"1"},{"author":{"fullName":"Andrew J. Hawkins"},"publishDate":"2024-11-22T18:01:36","title":"Baidu’s supercheap robotaxis should scare the hell out of the US","url":"https://www.theverge.com/2024/11/22/24303299/baidu-apollo-go-rt6-robotaxi-unit-economics-waymo","uid":"2"},{"author":{"fullName":"Jennifer Pattison Tuohy"},"publishDate":"2024-11-22T14:03:07","title":"Apple’s first smart display needs to make the smart home just work","url":"https://www.theverge.com/2024/11/22/24302381/apple-smart-display-homepad-smart-home-control","uid":"3"},{"author":{"fullName":"Nathan Edwards"},"publishDate":"2024-11-23T15:15:00","title":"The iMac M4 wasn’t built for this world","url":"https://www.theverge.com/24303351/apple-imac-m4-review-expensive-beautiful-niche","uid":"4"}],"navProps":{"campaignGroup":null,"stickyNav":true,"logoColor":"franklin","lightText":false},"_sentryTraceData":"a7080cfff01a4e91a3040aad37fccbb7-8320cf888f595cc2-0","_sentryBaggage":"sentry-environment=production,sentry-release=eRiIIZjNhI1r-REYnWsjp,sentry-public_key=6547365f9d98454ba8daa58e42013d33,sentry-trace_id=a7080cfff01a4e91a3040aad37fccbb7"},"__N_SSP":true},"page":"/entry/standard/[uid]","query":{"uid":"Entry:a7c571f5-7a8d-4ba0-bb16-924f04959625"},"buildId":"eRiIIZjNhI1r-REYnWsjp","isFallback":false,"gssp":true,"scriptLoader":[{"src":"https://theverge.coral.coralproject.net/assets/js/count.js?v=0","strategy":"lazyOnload","className":"coral-script","defer":true}]}</script></body></html>