The Twitter account of a US restaurant chain was hacked over the weekend, with attackers using it to post offensive messages
US-based Mexican restaurant chain Chipotle apologised on Sunday morning after its Twitter account was hacked by intruders who used it to post racist and offensive messages targeting the US government and government agencies.
The hack occurred late on Saturday, and lasted only a few minutes before the company was able to regain control, according to reports and to the accounts of other Twitter users.
However, within that time the hackers replaced the company’s logo with a swastika and posted a string of messages that were widely circulated across the social media service.
“So if you work in the media department at Chipotle, how much of a panic attack are you having right now?” one user wrote.
The company apologised in a Twitter message shortly after retaking control of the account. “We apologise for the nature of the posts that were made during that time, and we are now conducting an investigation to try to determine what happened and who might have been involved,” a company spokesman stated.
The attackers appear to have hijacked a Domain Name System (DNS) record that maps a company’s domain name to a specific IP address, allowing them to reroute Chipotle’s web and email traffic to their own servers, according to DNS records posted online.
They then would have been able to request a password reset message for the Twitter account, which would have been sent to an email address under their control.
The DNS compromise was also used to redirect requests for Chipotle’s web page to the Twitter profile of the user who claimed responsibility for the hack, and which has now been disabled.
Before the account was removed, the user wrote that he had carried out the attack “for the lulz”.
Such a hack would not have affected the integrity of Chipotle’s own servers.
The DNS is the Internet-wide system that translates human-readable web addresses into numeric Internet Protocol locations.
Chipotle is known for its social media-based promotions, one of which, in 2013, ironically included a faked hack of its Twitter account.
Are you a security pro? Try our quiz!