Incident Of The Week: Dunkin’ Donuts Reports Credential Stuffing Attack

For the second time in three months, hacked accounts are being sold on Dark Web forums

Dunkin’ Donuts first reported a credential stuffing attack at the end of November last year, and is now notifying users of more account breaches following a new attack. This attack, which happened in January, is similar to the first in where hackers leveraged user credentials leaked at other sites to enter DD Perks rewards accounts.

See Related: "Top 5 Cyber Security Breaches of 2019 So Far"

The type of information stored in a DD Perks account, which provides repeat customers a way to earn points and get free merchandise or discounts, includes the user’s first and last names, emails (usernames) and a 16-digit DD Perks account number and QR code.

According to ZDNet, the hackers weren’t after users’ personal information stored in the rewards accounts; instead, they were after the account itself in order to sell on Dark Web forums.

Credential Stuffing On The Rise

Recent Akamai research shows that credential stuffing attacks are on the rise specifically for the retail and financial industries because of how easy it is to implement these automated assaults; “mobile and website interfaces and operating systems are kept at a minimum as lengthy loading time is seen to be a deterrence to customers’ and legitimate users’ online experiences.”

Further, the research notes that “both consumers and employees tend to recycle the same email and password combinations for multiple online accounts, as well as companies’ continued use of outdated or unsupported versions of operating systems. In the middle of these factors are organization employees’ and established systems’ inability to differentiate valid users accessing their respective accounts as opposed to criminal users.”

Putting The Breach In Perspective

For now Dunkin,’ hackers are putting up the hacked accounts for sale, which are later being bought and used for reward points found in these accounts. However, the implications could have been more serious if hackers decided to exploit them by extracting personal information and reselling that data to financial fraud operators, etc.

"Dunkin' continues to work aggressively in combatting credential stuffing attacks, which have become increasingly prevalent across the retail industry given the massive volume of stolen credentials now widely available online," a spokesperson told ZDNet via email.

Dunkin’ further said that their internal systems did not experience a data security breach, however, when they were made aware by security vendors that third-parties may have obtained user data, they immediately reset their passwords and changed their Perks cards.

"When this becomes necessary, we provide notification letters to the affected consumers. In this case, we contacted 1,200 of our more than 10 million DD Perks members," the company said, putting the most recent breach in perspective.

Tips To Prevent Credential Stuffing Attack

According to advice from Trend Micro, here are some ways to strengthen security against these types of attacks:

  • Practice good password hygiene. Avoid reusing the same email and password combination for multiple online accounts, and change your access credentials frequently.
  • Enable two-factor authentication (2FA) whenever possible. Layered protection is always better than single access authentication.
  • Observe your network traffic and system. A significant increase in network inquiries, access, or slowdowns may indicate an attack. Run security software to find and remove malware infection.

See Related: "Celebrate International Data Privacy Day 2019 With This Expert Advice"