Dunkin’ Donuts says DD Perks accounts may have been hacked
Dunkin’ Donuts alerted customers in its DD Perks program of a breach after the company learned that an outside source gained access to some account holders usernames and passwords. The company said it didn’t suffer an actual breach of its backend systems but only fell victim to a credential stuffing attack. The company said it learned of the breach on Oct. 31 and forced a password reset.
Kunal Anand, VP Technology – Runtime Strategy for the Prevoty business at Imperva
“In the case of the Dunkin’ Donut credential stuffing incident, attackers might have accessed users’ names, email addresses, DD Perks account numbers and a DD Perks QR code—which they could have cashed in for a free donut.
Credential stuffing is like giving malicious cyber attackers a key to your front door. The PII accessed can be used to log into other accounts, potentially ones that have access to sensitive data. For example, if a DD Perks member used a work email and uses the same password to access confidential information at work, that data could be accessed an exposed by malicious attackers. This is why it is critical that consumers not only do not reuse their passwords across different accounts they hold, but they also change these passwords consistently and set up dual factor authentication to better protect themselves.
Dunkin’ took the proper first steps to stop attackers by forcing customers to change their password as soon as the incident was identified. We applaud them for doing right by their customers, issuing new account numbers and cards to those effected and alerting law enforcement of the incident.
This response also again sparks the need for a wider industry conversation about the need for a collectively agreed upon process for handling the aftermath of these credential stuffing threats. These types of attacks are likely to spike over the next 12 months as attackers gain access to cheaper compute costs and PII data increases in value, so now is the time for the entire sector to develop industry best processes for handling these attacks to ensure everyone does right by their customers.”