Dunkin Donuts is yet again in the news for suffering a data breach, the last time was in October. This time, by way of a credential stuffing attack in which attackers used stolen username and password combinations found on separate sites that gave them access to the Dunkin system. Attackers went after the DD Perks rewards accounts, which have information such as first and last names, email addresses (usernames), 16-digit perks account numbers, and QR codes. Although this information was included, it wasn’t the main target–the accounts themselves were what the attackers were after. The accounts were found being sold through Darkweb forums where users buy them and use them at Dunkin Donuts locations across the country to receive free drinks and other rewards. It is unknown at this time how Dunkin Donuts plans to mitigate the issue as they have not made a comment at this time of writing.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased