While Dunkin' may not have suffered a data breach to their own systems, the company notified everyone who has a DD Perks rewards accounts that cyber criminals may have accessed their personal information through the DD Perk profiles in October 2018.
According to the company's notification, the criminals may have been able to see user's names, emails, and DD Perks account numbers through a credential stuffing attack. They were made aware of the breach by one of their security vendors on October 31st.
What is Credential Stuffing?
Credential stuffing works like this. First, cyber criminals get user names and passwords that are collected in other data breaches and sold on the dark web. Once they've obtained these credentials, automated tools are used to see if they gain access to a variety of popular websites in an attempt to access financial information, social media accounts, online shopping accounts, etc. If the stolen credentials happen to match one of the sites that the hacker checks against, the individual can take over the account and take anything they find of value. The attacker also has full access to use the compromised account for other criminal activity, such as fraud, hosting illegal content, or sending spam and phishing emails.
What Can I Do About It?
Dunkin's notification suggests that account users create unique passwords for their DD Perks accounts and never reuse passwords for other unrelated online accounts. And they're completely right! As simple as it may seem, credential stuffing attacks are completely futile if everyone used a separate, unique password for each and every account they create - whether it be banking, online shopping, or as simple as a coffee rewards account. Can't remember all those passwords? Try using a password manager to maintain your passwords for you. Contact us and we'll get you pointed in the right direction!
You can view the official Dunkin Donuts statement here.