A credential stuffing attack has allowed hackers to take a big bite out of Dunkin’ Donuts customer data. The donut giant announced Tuesday evening that a data breach in October may have led to customers’ personal information being compromised.
Dunkin’ Brands Inc. in an advisory posted to its website said that on Oct. 31, a malicious actor attempted to access customers’ first and last names, email address, as well as account information for DD Perks, Dunkin Donuts’ rewards program. That account info include customers’ 16-digit DD Perks account number and DD Perks QR code. Dunkin’ Donuts has forced a password reset that required all of the potentially impacted DD Perks account holders to log out and log back in to their account using a new password.
The company said that it believes the hacker obtained usernames and passwords from security breaches of other companies, and then used those usernames and passwords to try to break in to various online accounts via widespread automated login requests – a method also known as credential stuffing.
“Although Dunkin’ did not experience a data security breach involving its internal systems, we’ve been informed that third-parties obtained usernames and passwords through other companies’ security breaches and used this information to log into some Dunkin’ DD Perks accounts,” the company said in its statement.
Dunkin’ Donuts said its security vendor was successful in stopping most of these attempts, but it is possible still that the hacker may have succeeded in logging in to some DD Perks accounts.
Credential stuffing is affordable and seamless, making it attractive for hackers to carry out – in fact, NuData Security, a Mastercard Company, has found that 90 percent of cyberattacks start with some sort of automation – with credential stuffing being a prominent one, like the one perpetrated on Dunkin’ Donuts.
“The software for credential stuffing is now so affordable that this type of attack is becoming accessible for almost anyone,” Ryan Wilk, VP of customer success for NuData Security, said in an email.
The incident points to the need for basic security password hygiene – specifically the need for users to utilize different passwords for different accounts.
Wilk said that merely forcing customers to change their passwords is not entirely effective.
“Having customers change their passwords is a temporary fix, a band-aid that doesn’t get to the root of the problem,” he said. “One effective way to stop this type of attack is to implement security solutions that detect this sophisticated automated activity at login and other placements. By using technologies that include behavioral biometrics, automated activity is flagged at login before it can even test any credentials in the company’s environment.”
The incident is the second notable data breach of a company this week. On Wednesday, Dell EMC warned customers of unauthorized activity on its network that occurred on Nov. 9 when it believes adversaries attempted to access names, email addresses and hashed passwords.