Threat Watch

Dunkin Donuts Credential Stuffing Attack

Dunkin Donuts is yet again in the news for suffering a data breach, the last time was in October. This time, by way of a credential stuffing attack in which attackers used stolen username and password combinations found on separate sites that gave them access to the Dunkin system. Attackers went after the DD Perks rewards accounts, which have information such as first and last names, email addresses (usernames), 16-digit perks account numbers, and QR codes. Although this information was included, it wasn’t the main target–the accounts themselves were what the attackers were after. The accounts were found being sold through Darkweb forums where users buy them and use them at Dunkin Donuts locations across the country to receive free drinks and other rewards. It is unknown at this time how Dunkin Donuts plans to mitigate the issue as they have not made a comment at this time of writing.

ANALYST NOTES

Users should monitor their email addresses as well as enable Two-Factor Authentication. A password manager can also be used and be beneficial because it creates unique credentials for every site that requires a login to be accessed.