Popular Donut Chain Affected by Credential Stuffing Attack

2019, Breaches, February

Who: Dunkin Donuts

# of Records: 1200 Loyalty Club Members

Date: 12 Feb 2019

What Happened: Hackers are conducting credential stuffing attacks to infiltrate customer loyalty accounts

How Did it Happen: Hackers break into accounts and sell access to the hacked accounts which are later bought by other persons that use the reward points found in these accounts at Dunkin’ Donuts shops to receive unearned discounts and free beverages.

Outcome: Dunkin’s internal systems did not experience a data security breach, however, when we are made aware by our security vendors that third-parties may have obtained our customers’ usernames and passwords through other companies’ or organizations’ security breaches and potentially accessed their accounts, we immediately take action to protect the consumer by resetting their password and changing any Dunkin’ cards they may have.