Dunkin Donuts accounts compromised in credential stuffing attack

Friday 15 February 2019 00:27 CET | News

Dunkin’ Donuts has been the victim of a credential stuffing attack during which hackers gained access to customer accounts.

Credentials stuffing is a type of cyber-attack where hackers take combinations of usernames and passwords leaked at other sites and use them to gain (illegal) access on accounts on new sites. The multinational coffee company reported a first credential stuffing attack at the end of November 2018. Now, the company is reporting a second credential stuffing attack (attack which happened on January 10).

According to ZDnet, hackers used user credentials leaked at other sites to gain entry to DD Perks rewards accounts. The type of information typically stored inside a DD Perks account includes a user’s first and last names, email address (also used as username), a 16-digit DD Perks account number, and a DD Perks QR code.

These provide repeat customers with a way to earn points and use them to get free beverages or discounts for other Dunkin’ Donuts products.

But hackers weren’t only after users’ personal information stored in Dunkin’ Donuts rewards accounts. Instead, they were after the account itself, which they are selling on Dark Web forums, according to a screenshot shared with ZDNet by AI-powered network security company Lastline.

Free Headlines in your E-mail

Every day we send out a free e-mail with the most important headlines of the last 24 hours.

Subscribe now

Keywords: Dunkin Donuts, credential stuffing, cybersecurity, hackers, dark web, US, fraud prevention
Countries: World