Fan of KFC? Here’s some finger-licking good advice for your password: Change it now

Fans of Colonel Sanders told to change their passwords.

Graham Cluley
Graham Cluley
@[email protected]

Fan of KFC? Here's some finger-licking good advice for your password

KFC, home of such culinary delicacies as the Zinger Burger and the Original Recipe Bargain Bucket, says that some members of its Colonel’s Club have had their accounts breached.

Members of the Colonel’s Club collect “Chicken Stamps” to earn free food rewards, and can receive exclusive offers from KFC. I know, I know… it sounds incredible.

But what’s less easy to swallow is that hackers may have broken into a “small number” of Colonel Club accounts. As a consequence, KFC has emailed members telling them that they should change their password:

Kfc email

Our monitoring systems have found a small number of Colonel’s Club accounts may have been compromised as a result of our website being targeted. Whilst it’s unlikely you have been impacted, we advise that you change your password as a precaution. If you use the same email address and password across other services, you should also reset them, just to be safe.

To be fair to KFC, I like that they have been transparent about what’s happened and that they’re giving the sensible advice that users should also reset their passwords elsewhere on the net if they were reusing the same passwords (as we’ve mentioned before, reusing the same password in multiple places is one of the biggest mistakes you can make with passwords).

Kfc bucket KFC told ITV News that the Colonel’s Club does not store any payment information, so the financial details of members have not been put at risk. Additionally, the company said that “only 30 of its 1.2 million members had been targeted but that all customers had been informed.”

That’s all sounds like good news to me.

It would be nice, however, to know what other information the hackers might have accessed. For instance, it would be a surprise if the hackers had managed to access passwords but *not* the users’ email addresses. It’s easy to imagine how an attacker might craft a phishing email and spam it out to KFC lovers.

Sign up to our free newsletter.
Security news, advice, and tips.

At least KFC weren’t too chicken to ‘fess up to what appears to have happened. Still, it would be nice for them to share more information in time about precisely *how* the hackers may have breached their systems – in case there are lessons that other businesses could learn from the experience.

Unfortunately there’s no guarantee that more information will be released. Many companies don’t like to risk revealing where they’ve goofed up when it comes to security in case they’re left with err.. egg on their face.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

One comment on “Fan of KFC? Here’s some finger-licking good advice for your password: Change it now”

  1. Chris

    Also an interesting example of malefactors going after a superficially low value target (assuming that payment card details weren't accessed) presumably purely to attempt to harvest and reuse the credentials elsewhere or as you state attempt a follow up phishing campaign. Perhaps the positive that could be taken from this is that criminals are resorting to targettingt the Colonel's Chicken Club, but in the context of the worrying phrase that I still hear from smaller/niche businesses: 'why would anybody want to hack us?'

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.