Dunkin Brands Inc, the Massachusetts-based parent company of the Dunkin’ Donuts franchise, informed owners and recipients of the Dunkin Donuts Perks and Rewards program, that their reward accounts could have been compromised after their cybersecurity team (an external security vendor) had detected that a hacker could have accessed their profiles and personal data last month. It is believed that the security vendor on October 31 made officials from the Dunkin Donuts brand aware that third parties could have obtained usernames and passwords from security breaches that had taken place at other subsidiary or partner companies. While Dunkin stated that although its own internal systems were not breached and that several of the attempts to use the information were blocked, it is not entirely improbable that third parties could have succeeded in logging into the Dunkin Donuts Perks accounts of many of its customers.
The company has stated that it has not experienced a true violation of its own backend systems, but has only been the victim of a known automated attack in the cybersecurity domain under the name of credential stuffing attack.
If the attempts were successful, it could have exposed some the secure information of some of its customers, including names, email addresses, Dunkin Donuts Perks account numbers as well as DD Perks QR codes. The suspected third parties could have obtained account usernames and passwords through security breaches from other companies or organizations and also may have used this information to connect to certain Dunkin Donuts customer accounts.
The company said it learned of the attack from one of its security providers, which, according to Dunkin’ Donuts representatives had successfully managed to mitigate and put a stop to any further breaches and data thefts of Dunkin’ Donuts accounts, on the part of these suspected third parties.
The company did admit that some of the fraudulent login attempts that had been detected by its security provider, might have been successful. As a result, the company stated that it had sent out notifications to all those Dunkin’ Donuts account holders they thought had been affected for certain.
The company also did not make any disclosure of the exact number of affected customers after being asked for an approximation of how many of its customers had been affected and had their personal information stolen.
According to the company’s spokespersons, the variety and type of information that the hackers could have made away with if they did have access to DD Perks accounts include the following –
- The user’s first and last names,
- Email address (also used as a username),
- DD Perks account number. at 16 digits and
- QR codes for DD Perks.
DD Perks accounts are part of the Dunkin ‘Donuts mobile apps rewards program which allows users to earn points each time they make a purchase at a Dunkin’ Donuts outlet. They can redeem these reward points at any outlet to receive free or discounted products.
At first thought, access to these accounts may seem unnecessary, but considering that there are underground or obscure web portals which offer access to various rewards programs, the threat is real! Although access to Dunkin ‘Donuts accounts from these websites wasn’t reported as yet, it is just a matter of time before they start appearing. These portals usually sell access to the rewards programs of popular bed & breakfast, airlines, as well as fast-food restaurant chains, on a regular basis.
As a preventive measure, in response to the detection of the credential stuffing attack, which, according to Dunkin’ Donuts officials occurred on the 31st of October, the company forced the resetting of passwords for all account holders, but also replaced the account numbers and the relevant Perks DD value cards. The company also stated that it had reported the breach to law officials and was working closely with state cybersecurity teams to identify the culprits and apprehend the third parties responsible for the incident.