Dunkin’ Donuts accounts compromised in second credential stuffing attack in three months
Dunkin’ Donuts announced today that it was the victim of a credential stuffing attack during which hackers gained access to customer accounts.
This marks the second time in three months that the coffee shop chain notifies users of account breaches following credential stuffing attacks.
Credentials stuffing is a cyber-security term that describes a type of cyber-attack where hackers take combinations of usernames and passwords leaked at other sites and use them to gain (illegal) access on accounts on new sites.
Dunkin’ Donuts reported a first credential stuffing attack at the end of November (the actual attack occurred on October 31). Today, the company reported a second credential stuffing attack (attack happened on January 10).
Just like in the first, hackers used user credentials leaked at other sites to gain entry to DD Perks rewards accounts, which provide repeat customers with a way to earn points and use them to get free beverages or discounts for other Dunkin’ Donuts products.
The type of information typically stored inside a DD Perks account includes a user’s first and last names, email address (also used as username), a 16-digit DD Perks account number, and a DD Perks QR code.
But hackers weren’t after users’ personal information stored in Dunkin’ Donuts rewards accounts. Instead, they were after the account itself, which they are selling on Dark Web forums, according to a screenshot shared with ZDNet by threat intel firm Lastline.
During online conversations and phone calls over the past few months with this reporter, several security engineers at American ISPs (who couldn’t share their names due to non-disclosure agreements) have previously told ZDNet about this growing trend in the cyber-criminal undergrounds. According to our sources, hacker groups are renting IoT botnets and running scripts to carry out credential stuffing attacks against a wide range of online services.
Once hackers break into accounts, they either exploit them by extracting personal information from accounts and reselling the personal data to financial fraud operators, or they sell access to the hacked accounts themselves.
This latter case is what’s happening with Dunkin’ Donuts accounts, as hackers put up the hacked accounts for sale, which are later bought by other persons that use the reward points found in these accounts at Dunkin’ Donuts shops to receive unearned discounts and free beverages.
A Dunkin’ Donuts spokesperson did not answer a request for comment before this article’s publication.
Dunkin’ Donuts isn’t the only company that has suffered a credential stuffing attack in the past few months. Ad blocker company AdGuard suffered one in September 2018; banking giant HSBC in November; but also Reddit, DailyMotion, and Basecamp last month.
Credential stuffing attacks have become a big issue for online service providers in the past two years after billions of username and password combinations have gradually made their way into the public domain.
While initially these username-password combos were hard to get by because they were being sold online on well-hidden hacking forums, recently, they’ve been shared and re-shared so much that they’re now generally available to anyone who knows how to use a search engine and has the time to dig through search results for still-working download links.