Some 140 million email addresses and 10 million passwords are new to Hunt’s Have I Been Pwned website, the free service that tracks whether user credentials have been made available in data dumps.

The fast-casual restaurant chain says thieves obtained username and password information belonging to customers via a credential stuffing incident.

The company didn't reveal exactly how the breaches occurred, but the information released by the bank points to credential stuffing.