Boston-based Dunkin’, the brand formerly known as Dunkin Donuts, has released a warning to its customers stating that DD Perks reward account holders were potentially hacked by a third party in a credential-stuffing attack wherein hackers were trying to steal the rewards points to sell and trade them on the dark web.
The incident was discovered on October 31, 2018, by one of Dunkin’s security vendors, and it is believed that malicious third-party actors used credentials stolen from other breaches to access user accounts.
According to a statement shared with Infosecurity Magazine by a Dunkin’ spokesperson, “Dunkin’ Brands has issued notification letters to certain DD Perks account holders who may have experienced unauthorized access to their accounts.”
Additionally, the company's incident advisory warned that the attackers might have accessed the first and last names of impacted account holders, along with their email addresses and 16-digit DD Perks account number and their DD Perks QR code. Dunkin’ said it forced a password reset so that all potentially affected account holders would have to log out and use a new password to log back in to their accounts.
“Just when you thought that hackers could not come between you and your morning coffee, they get you right in the rewards points. NuData Security has found that 90% of cyberattacks start with some sort of automation, credential stuffing being a prominent one like the one perpetrated on Dunkin’,” said Ryan Wilk, VP of customer success for NuData Security, a Mastercard company.
“The software for credential stuffing is now so affordable that this type of attack is becoming accessible for almost anyone. What this means is that adversaries can automatically cycle through username and password pairs against login portals. This technique, known as credential stuffing, is a type of brute force attack whereby large sets of credentials are automatically inserted into login pages until a match with an existing account is found."
While customers are advised to change their passwords, Wilk said this is only a temporary fix that fails to address the root of the problem. “One effective way to stop this type of attack is to implement security solutions that detect this sophisticated automated activity at login and other placements. By using technologies that include behavioral biometrics, automated activity is flagged at login before it can even test any credentials in the company's environment.”