Dunkin’ Alerts DD Perks Account Holders That Hackers May Have Accessed Data
Dunkin’, the operator of Dunkin’ Donuts franchises, is alerting DD Perks rewards program account holders that its profiles and data may have been accessed by a hacker in October.
ZDNet, citing the company, reported Dunkin’ wasn’t the victim of a breach — but that it was the victim of credential stuffing attack, which is an automated attack. “Third-parties who obtained DD Perks account holders’ usernames and passwords through other companies’ or organizations’ security breaches may have used this information to log into certain DD Perks accounts if the account holders used the same username and password for unrelated accounts,” a Dunkin’ Donuts spokesperson told ZDNet. The report noted that Dunkin’ said it was notified about the attack from a security vendor it does business with and said it was successful in stopping “most of these attempts.” It did acknowledge that some login attempts may have succeeded, and thus sent the notification to account holders.
ZDNet noted that Dunkin’ didn’t say how many customers were impacted by the breach. Some of the information potentially obtained in the breach includes users’ first and last names, email address, DD Perks account numbers and DD Perks QR codes. Dunkin’ said the attack happened on October 31, and when it learned of it, it forced a password reset to all impacted accounts. “We also reported the incident to law enforcement and are cooperating with law enforcement to help identify and apprehend those third-parties responsible for this incident,” Dunkin’ said. ZDNet noted that accessing the DD Perks accounts, which are part of the company’s mobile app and let users gain points to receive free or lower-priced products, may seem pointless — but rewards program data is sold over the dark web.