Credential-stuffing attack compromises Dunkin’ Donuts member accounts

Credential-stuffing attack compromises Dunkin’ Donuts member accounts

Dunkin' Donuts suffers second credential-stuffing attack in three months

An unspecified number of accounts belonging to subscribers of Dunkin', the owner of the Dunkin' Donuts franchise, was reportedly compromised on October 31st after cyber criminals carried out credential-studding attacks on the company's website using credentials stolen from other organisations.

Several Dunkin' rewards accounts compromised

In a notification to affected DD Perks rewards account holders, Dunkin' said that it did not suffer any data breach but credential-stuffing attacks launched by hackers may have compromised accounts of members who used the same credentials to log in to accounts with other organisations.

The attack was detected by a third party security vendor who was successful in stopping most of such credential-stuffing attempts. It is believed that full names, email addresses, 16-digit DD Perks account numbers and DD Perks QR codes associated with certain member accounts may have been compomised as a result of the attack.

In order to protect affected members, Dunkin' immediately reset passwords of all member accounts and replaced impacted DD Perks account numbers and value cards.

Password reuse a major reason behind the compromise

Adam Brown, manager of security solutions at Synopsys, told TEISS that the credential-stuffing attack on the Dunkin' website is a good example of why password re-use is a really bad thing, and the affected users should take some of the blame for that.

"Dunkin' has done nothing wrong, but someone else has leaked some very sensitive information - usernames, email addresses and passwords. That means any victims in that list that re-use the same password can be considered breached. In addition, the organisation that owned the leaked data could expect some privacy fines or actions."

He added that while the affected customers should now wisen up and use unique passwords for different accounts or use password managers, Dunkin' could have stopped the compromise of several member accounts had it implemented two-factor authentication. However, since the loss of reward points can be considered a lower risk, it is debatable whether 2FA, which affects usability and convenience, is a necessary control in this case.

Ryan Wilk, vice president at NuData Security, said that having customers change their passwords is a temporary fix, a band-aid that doesn’t get to the root of the problem.

"One effective way to stop this type of attack is to implement security solutions that detect this sophisticated automated activity at login and other placements. By using technologies that include behavioural biometrics, automated activity is flagged at login before it can even test any credentials in the company's environment," he added.


It is getting boring reading about “Password1"

Six ways to create secure passwords you’ll actually remember

Can new authentication methods change business?

Copyright Lyonsdown Limited 2021

Top Articles

Data of 500m LinkedIn users put up for sale on the Dark Web

Detailed personal and professional information associated with 500 million LinkedIn profiles has been put up for sale on a popular dark web forum.

Several EU bodies suffered cyber attacks in March, EU reveals

A number of European Union institutions, including the European Commission, were the targets of cyber attacks in March.

The rise and rise of nation state cyber attacks

There has been a 100% rise in nation state cyber attacks over the last three years with attacks aimed at organizations with high value IP, such as technology and pharmaceutical…

Related Articles