Threat Watch

Dunkin’ Donuts Fall Victim to Credential-Stuffing Attack

Dunkin’ Donuts security vendors made them aware that the information of their DD Perks customers was accessed by an unknown actor. The number of customers that were affected is not known at this time, however information in the likes of customer’s first and last name, email addresses, DD Perks account numbers and QR codes were comprised. “Third-parties who obtained DD Perks account holders’ usernames and passwords through other companies’ or organizations’ security breaches may have used this information to log into certain DD Perks accounts if the account holders used the same username and password for unrelated accounts. These individuals then used the usernames and passwords to try to break into various online accounts across the internet,” a Dunkin’ Donuts spokesperson told reporters. Since the attack, Dunkin’ has forced password resets in an attempt to protect DD Perks members.

ANALYST NOTES

Users are heavily advised to monitor their email address after credential stuffing attacks. There are services available that allow users to be notified of major breaches and if their information has been compromised in them. Two Factor Verification is a good way to ensure an extra sense of security for users as well. A password manager can be a big help when deterring attacks of this nature because they allow for users to create different credentials for all sites they use while only having to remember the master password.