Chipotle Twitter gets hacked, sends flurry of racist tweets

This story contains images of hate speech and may be NSFW.

Sometimes the fast-food burrito chain Chipotle is pretty good at Twitter; other times, not so much. Earlier this week, Chipotle asked its fans to tweet haikus about how much they loved the burritos and the results were not a disaster, which is about the best #brands on social media can hope for at this point. All was good. Then, a few days later, the company’s Twitter account was hacked, its avatar was changed to a swastika, and it started tweeting a stream of trolling bile. 

The hack occurred late Saturday night. While the takeover only lasted a few minutes with the tweets quickly being scrubbed from the company’s account, screenshots of the message started circulating around the microblogging service almost immediately.

(Sorry, this embed was not found.)

(Sorry, this embed was not found.)
(Sorry, this embed was not found.)

Since the swastika appeared throughout Twitter’s Web presence during the duration of the attack, going back and looking at Chipotle’s older tweets was also pretty awkward.

The company apologized shortly after regaining exclusive control over the account. 

During the hack, Chipotle’s Twitter bio was changed to point to two other accounts, presumably belonging to the hackers claiming credit for the attack. Both of those Twitter accounts have been suspended. Although, before the accounts were erased, one of the hackers explained the motivation behind the attack:

Twitter

It appears as if the attack was accomplished by the hackers compromising Chipotle’s domain name system (DNS), which converts numerical IP addresses into actual words human beings can understand. The hackers were able to compromise Chipotle’s DNS and make it so emails originally sent to an internal company email address were instead routed to one they controlled. Once they had access to Chipotle’s email, all the hackers had to do was ask for a password reset on the account, intercept the email, change the password to something of their choosing, and then start tweeting Nazi stuff. 

The Electronic Frontier Foundation’s Parker Higgins told to the Daily Dot that, even though the hackers messed with Chipotle’s DNS, it doesn’t mean the company’s official website was necessarily compromised. DNS functions on a different “layer” of the Internet than do websites, so the hackers may have only had the ability to point traffic initially directed to Chipotle to other online locations. 

Representatives from Chipotle did not immediately respond to a request for comment.

The hackers used that ability to redirect visitors to Chipotle.com to the Twitter profile of the person claiming credit for the attack. 

Naturally, everyone on Twitter hoped that the hack would somehow result in getting free burritos—even though it almost certainly won’t. Everyone knows the only way to get free Chipotle is to write burrito-themed haikus. 

Ultimately, the moral of the story is that Chipotle probably needs better online security procedures. 

Photo by proshob/Wikimedia Commons (CC BY-SA 3.0)

Aaron Sankin

Aaron Sankin

Aaron Sankin is a former Senior Staff Writer at the Daily Dot who covered the intersection of politics, technology, online privacy, Twitter bots, and the role of dank memes in popular culture. He lives in Seattle, Washington. He joined the Center for Investigative Reporting in 2016.