Popular Donut Chain Affected by Credential Stuffing Attack
Who: Dunkin Donuts
# of Records: 1200 Loyalty Club Members
Date: 12 Feb 2019
What Happened: Hackers are conducting credential stuffing attacks to infiltrate customer loyalty accounts
How Did it Happen: Hackers break into accounts and sell access to the hacked accounts which are later bought by other persons that use the reward points found in these accounts at Dunkin’ Donuts shops to receive unearned discounts and free beverages.
Outcome: Dunkin’s internal systems did not experience a data security breach, however, when we are made aware by our security vendors that third-parties may have obtained our customers’ usernames and passwords through other companies’ or organizations’ security breaches and potentially accessed their accounts, we immediately take action to protect the consumer by resetting their password and changing any Dunkin’ cards they may have.