Dunkin' Donuts announced earlier today that unknown hackers carried out credential-stuffing attacks on its website in January and gained access to an undisclosed number of DD Perks rewards accounts.
On 29th November, the franchise had announced a similar credential-stuffing attack on its website that resulted in the compromise of an unspecified number of DD Perks accounts. The attack was detected by a third party security vendor who was successful in stopping most of such credential-stuffing attempts.
It was then believed that full names, email addresses, 16-digit DD Perks account numbers and DD Perks QR codes associated with certain member accounts were compromised as a result of the attack. In order to protect affected members, Dunkin' immediately reset passwords of all member accounts and replaced impacted DD Perks account numbers and value cards.
Hackers selling stolen credentials on the Dark Web
The new wave of credential-stuffing attacks, which took place on January 10, was carried out by hackers who wanted to sell compromised accounts to prospective buyers on the Dark Web, ZDNet has revealed. Buyers of such accounts will be able to use Dunkin' Donuts reward points to receive unearned discounts and free beverages.
"In situations like this, the practice of good password hygiene becomes critical otherwise you’re putting sensitive accounts and credentials at risk. We know that in addition to credit cards, email addresses and PII, password credentials are highly sought-after by cybercriminals – so use a different password for each of your online accounts," says Tim Bandos, Vice President of Cyber Security at Digital Guardian.
"Make sure your passwords are unique and complex to ensure that hackers cannot guess them. If you’re notified that your account has been comprised, change your password immediately. Lastly, where possible, enable multi-factor authentication. Popular websites like Facebook, Gmail and Skype all offer this service," he adds.
""It’s imperative that users understand the risk of weak authentication. Reusing the same password allows attackers to use credential stuffing attacks across multiple platforms. For the hacker, once they breach one set of accounts, the pay off can be high. In order to mitigate this risk end users and platform providers should implement both a strong password criteria and a second factor authentication to ensure the user is who they say they are," says Steve Armstrong, Regional Director UK, Ireland & South Africa at Bitglass.
"Ultimately, my recommendation to any customer who has experienced a breach is to change all the passwords across all their accounts online. The use of a password manager would make managing this far simpler. The knock-on effect here is not just the loss of this specific account - but the likelihood of credentials being used elsewhere," he warns.