You can now buy the credit cards of Sonic customers for $25 on the dark web

Millions of credit card numbers—some of which were apparently stolen from Sonic Drive-In restaurants—are now for sale on a dark web market for between $25 and $50 per card, reports KrebsOnSecurity.

The restaurant chain has more than 3,600 locations in 45 U.S. states, but it’s unclear which have been impacted by the previously unreported breach. The company confirmed to Krebs that it’s investigating “a potential incident” after receiving reports of unusual credit card activity last week, and it issued a statement:

“We are working to understand the nature and scope of this issue, as we know how important this is to our guests. We immediately engaged third-party forensic experts and law enforcement when we heard from our processor. While law enforcement limits the information we can share, we will communicate additional information as we are able.”

Cards for sale that have been connected to a breach at Sonic Drive-In. [Image: KrebsOnSecurity]
The batch of 5 million credit cards went on sale on Sept. 18 on a marketplace called Joker’s Stash, according to Krebs:

“Prices for the cards advertised in the Firetigerr batch are somewhat higher than for cards stolen in other breaches, likely because this batch is extremely fresh and unlikely to have been canceled by card-issuing banks yet.

Most of the cards range in price from $25 to $50, and the price is influenced by a number of factors, including: the type of card issued (Amex, Visa, MasterCard, etc); the card’s level (classic, standard, signature, platinum, etc.); whether the card is debit or credit; and the issuing bank.

I should note that it remains unclear whether Sonic is the only company whose customers’ cards are being sold in this particular batch of five million cards…”

The stolen database is just the latest in a year of leaks, breaches, and hacks, most notably the recent revelation of a massive theft of personal information from credit bureau Equifax. Sonic wouldn’t be the first fast food chain to be struck by credit card fraud. A previous breach involving Wendy’s restaurants that started in 2015 proved more costly than expected for the banking industry (and for small credit unions in particular), which had to repeatedly replace cards for some frequent customers of the burger chain who had multiple numbers compromised.