Credential-stuffing attack compromises Dunkin’ Donuts member accounts

Credential-stuffing attack compromises Dunkin’ Donuts member accounts

Dunkin' Donuts suffers second credential-stuffing attack in three months

An unspecified number of accounts belonging to subscribers of Dunkin’, the owner of the Dunkin’ Donuts franchise, was reportedly compromised on October 31st after cyber criminals carried out credential-studding attacks on the company’s website using credentials stolen from other organisations.

Several Dunkin’ rewards accounts compromised

In a notification to affected DD Perks rewards account holders, Dunkin’ said that it did not suffer any data breach but credential-stuffing attacks launched by hackers may have compromised accounts of members who used the same credentials to log in to accounts with other organisations.

The attack was detected by a third party security vendor who was successful in stopping most of such credential-stuffing attempts. It is believed that full names, email addresses, 16-digit DD Perks account numbers and DD Perks QR codes associated with certain member accounts may have been compomised as a result of the attack.

In order to protect affected members, Dunkin’ immediately reset passwords of all member accounts and replaced impacted DD Perks account numbers and value cards.

Password reuse a major reason behind the compromise

Adam Brown, manager of security solutions at Synopsys, told TEISS that the credential-stuffing attack on the Dunkin’ website is a good example of why password re-use is a really bad thing, and the affected users should take some of the blame for that.

“Dunkin’ has done nothing wrong, but someone else has leaked some very sensitive information – usernames, email addresses and passwords. That means any victims in that list that re-use the same password can be considered breached. In addition, the organisation that owned the leaked data could expect some privacy fines or actions.”

He added that while the affected customers should now wisen up and use unique passwords for different accounts or use password managers, Dunkin’ could have stopped the compromise of several member accounts had it implemented two-factor authentication. However, since the loss of reward points can be considered a lower risk, it is debatable whether 2FA, which affects usability and convenience, is a necessary control in this case.

Ryan Wilk, vice president at NuData Security, said that having customers change their passwords is a temporary fix, a band-aid that doesn’t get to the root of the problem.

“One effective way to stop this type of attack is to implement security solutions that detect this sophisticated automated activity at login and other placements. By using technologies that include behavioural biometrics, automated activity is flagged at login before it can even test any credentials in the company’s environment,” he added.


It is getting boring reading about “Password1″

Six ways to create secure passwords you’ll actually remember

Can new authentication methods change business?

Copyright Lyonsdown Limited 2021

Top Articles

Is your security in need of an update this Cybersecurity Awareness month?

Cyber security experts tell teiss about the evolving threat landscape and how organisations can bolster their cyber security defenses

A new case for end-to-end encryption

How a hacker group got hold of calling records and text messages deploying highly sophisticated tools that show signs of originating in China

Telcos in Europe put muscle behind firewalls as SMS grows

Messaging is set to be one of the biggest traffic sources for telcos worldwide prompting them to protect loss of revenue to Grey Route practices 

Related Articles

[s2Member-Login login_redirect=”” /]