Report says credit cards used at Sonic restaurants are up for sale on the dark web

Beware, late-night snackers and fast food connoisseurs: Millions of credit and debit cards used at Sonic restaurants may have been compromised and put up for sale in "underground cybercrime stores."

Security expert and investigative journalist Brian Krebs first reported the possible breach after he learned of multiple instances of fraudulent transactions on cards previously used at Sonic locations.

When Krebs heard from "multiple sources" that cards used at sonic were being flagged for fraudulent transactions, he started to connect the dots. Around the same time, a batch of 5 million credit cards had been put up for sale on the "credit card theft bazaar" Joker's Stash, one of the hacked credit card hubs that Krebs monitors.

To determine a connection between the Sonic rumors and the new stolen haul, Krebs then had sources buy cards from the stolen cache, for $25-$50 per card. He found that this random selection of cards had all been used for purchases at Sonic prior to their uploading on the dark web.

Sonic has confirmed their knowledge of the breach. Over email, Sonic corporate wrote to Mashable that the company's credit card processor informed them last week of "unusual activity regarding credit cards used at SONIC."

With 3,600 locations across the U.S., Sonic does not yet know how many restaurants or individuals have been affected.

"The security of our guests’ information is very important to SONIC," wrote Christi Woodworth, Vice President of Public Relations. "We are working to understand the nature and scope of this issue, as we know how important this is to our guests.  We immediately engaged third-party forensic experts and law enforcement when we heard from our processor. While law enforcement limits the information we can share, we will communicate additional information as we are able."

The Sonic breach comes less than a month after the massive personal information hack of credit reporting agency Equifax, which compromised the social security, credit card, and driver's license information of 143 million Americans. The Equifax CEO Richard Smith has since stepped down from his post.