Dunkin' Donuts customers' accounts compromised through yet another credential stuffing attack

Dunkin' Donuts revealed on Feb. 12, 2019, that on Jan. 10, 2019, they again became victim to the credential stuffing attack. As a result of this attack, the attackers were able to have access to a few of their customers' accounts. This is second time in last three months that Dunkin' Donuts notifies the users about account breaches following the credential stuffing attacks. Dunkin' Donuts reported about the credential stuffing attack on them for the first time on November-end of 2018, although the actual attack takes place on October 31, 2018.

Credentials stuffing attack is the cyber attack type where attackers use the usernames and passwords combinations leaked on other sites for gaining illegal access on the user accounts. After the attackers obtain illegal access of the user accounts through credential stuffing attack, then they either sell access of breached accounts or they extract the personal information from user accounts and resell those personal data to the cybercriminals.

In the latest credential stuffing attack, the hackers used credentials of user leaked on other sites for gaining access to rewards accounts of DD Perks. The rewards accounts of DD Perks provide Dunkin' Donuts regular customers a reward system for earning points, and then use those points to have free beverages or money off (i.e. discounts) on other products of Dunkin' Donuts. The accounts of DD Perks include information like users' first as well as last names, 16-digit account number of DD Perks, email addresses (i.e. also used as the user names) and QR codes of DD Perks.

In the latest attack, the attackers targeted the rewards accounts of Dunkin' Donuts as a whole, and not the users' personal information that is stored in those accounts. The attackers are then selling the compromised customer accounts of Dunkin' Donuts on the Dark Web forums. After this, other persons bought those compromised accounts and use reward points in shops of Dunkin' Donuts to have free beverages as well as other discounts.

Dunkin' Donuts is not the only company who became victim to the credential stuffing attack in last few months. AdGuard, Ad blocker company, fall victim in September 2018; HSBC in November 2018; and Basecamp, Reddit, and DailyMotion in last month (i.e. in January 2019).

» SPAMfighter News - 2/22/2019