It's a mystery that some Chipotle customers across the country don't understand.
Diners are reporting that shortly after ordering on Chipotle's app, someone else started billing phantom orders to their account.
Jessica Gallenstein is one of those diners. She recently placed an order through Chipotle's app, then picked up her order a few minutes later at her local restaurant in Ohio.
"I just bought a meal for myself, and that was it," Gallenstein said.
But the next day her bank sent an alert that her debit card was overdrawn.
"My account was in negative amounts, and more than a hundred dollars were placed for orders I didn't give permission to be placed," she said.
She couldn't believe what she saw when she logged into her banking app.
"I checked the transaction history and saw that multiple orders were placed through the Chipotle app without my permission," she said.
A string of orders, ranging between $10 and $40, had been made using her debit card. The orders all came within a 24-hour period and were placed at several different Chipotle restaurants in her area — as if her password and user name had been shared among a group of friends.
How was her account hacked?
Luckily, her bank is dropping the charges. But Gallenstein wants to know who hacked her account.
"I'm disputing the charges, and they said they would take care of it at their end, but as for Chipotle, I've called them numerous times and haven't heard anything," she said.
Chipotle admitted to a major data breach two years ago, back in 2017, but it says these new cases have nothing to do with that. Chipotle even told the Nation's Restaurant News it suffered no new breach this year.
But more than two dozen customers from all parts of the country have posted similar complaints on Reddit.
"Chipotle customer accounts, like accounts for many other retail, hotel, and restaurant companies, have had instances of "credential stuffing", where user names and passwords stolen from other companies are tested to see if they work," Chiptole said when asked about Gallenstein's claims.
Chipotle believes Gallenstein's password may have been stolen somewhere else, then used when she activated the app that evening.
"I've used other online ordering apps before, and this has never happened to me," Gallenstein said.
She remains nervous that she could be hacked again, even though she changed her password.
How to protect yourself
So, should Chipotle customers be concerned?
Not at this time. Customers that use a unique password should be fine. But it's always important to keep from using the same password on multiple sites.
If a password is stolen from one site, a hacker will try it with the same email address at other popular sites. So be careful, and don't waste your money.
Don't Waste Your Money" is a registered trademark of Scripps Media, Inc. ("Scripps").
Follow John on Twitter (@JohnMatarese)
For more consumer news and money saving advice, go to