Dunkin’ Donuts announced on February 12, 2019 that it suffered a credential stuffing attack on January 10, 2019, which resulted in attackers gaining access to some of its customers' accounts.
It should be noted that this is the second credential stuffing attack that Dunkin’ Donuts experienced in the last three months. The first credential stuffing attack occurred on October 31, 2018.
Credentials stuffing attack is a type of cyber attack where attackers use usernames-passwords combinations leaked at other sites to gain illegal access on user accounts.
DD Perks rewards accounts exploited
In the recent credential stuffing attack, hackers used user credentials leaked at other sites to gain access to DD Perks rewards accounts. DD Perks rewards accounts provide their regular customers with a reward system to earn points and use them to get free beverages or discounts for other Dunkin' Donuts products.
DD Perks account includes information such as users’ first and last names, email addresses (also used as usernames), 16-digit DD Perks account number and DD Perks QR codes.
Compromised accounts for sale
In the recent attack, attackers didn't target users' personal information stored in Dunkin' Donuts rewards accounts, instead, they targeted the account itself. Threat Intel firm Lastline noted that the attackers are selling the compromised Dunkin’ Donuts customer accounts on Dark Web forums. Lastline also shared a screenshot with ZDNet.
Once attackers gain illegal access to user accounts via credential stuffing attack, they either extract personal information from accounts and resell the personal data to cybercriminals, or they sell access to the breached accounts.