- The Washington Times - Thursday, November 29, 2018

Dunkin’ Donuts on Thursday alerted customers of the chain’s “DD Perks” program about the potential compromise of their account credentials.

“Although Dunkin’ did not experience a data security breach involving its internal systems, we’ve been informed that third-parties obtained usernames and passwords through other companies’ security breaches and used this information to log into some Dunkin’ DD Perks accounts,” parent company Dunkin’ Brands said in a letter sent to potentially affected customers.

“We believe that these third-parties obtained usernames and passwords from security breaches of other companies,” the company told account holders. “These individuals then used the usernames and passwords to try to break in to various online accounts across the Internet.”

The type of potentially compromised data depends on what information affected customers entered into their accounts, but could include full names, email addresses and DD Perks numbers, the company said.

Dunkin’ Donuts did not say how many users may have been affected, and the company did not immediately return a request for clarification.

Headquartered in Canton, Massachusetts, Dunkin’ Donuts has over 11,000 shops in 36 countries, including 8,500 in the United States, according to its website. It launched its “DD Perks” loyalty program in 2011, and the program boasted more than 7.5 million users as of November 2017.

Dunkin’ said that its security vendor prevented most of the attempted log-ins, and that the company has reset the passwords of user who may have been affected after becoming aware of the activity late last month.

“We immediately launched an internal investigation and have been working with our security vendor to remediate this event and to help prevent this kind of event from occurring in the future,” the company said Thursday. “We also reported the incident to law enforcement and are cooperating with law enforcement to help identify and apprehend those third parties responsible for this incident.”

Known among the security community as “credential stuffing,” experts said users can reduce the likelihood of becoming victims of the type of attack by safeguarding their online accounts with unique passwords.

“The attack on Dunkin’ Donuts was basically a brute force attack, reusing credentials stolen in other previous breaches against the Dunkin portal,” explained Andy Norton, director of threat intelligence for network security provider Lastline. “Password reuse is a common bad practice.”

“The software for credential stuffing is now so affordable that this type of attack is becoming accessible for almost anyone,” added Ryan Wilk, vice president of customer service for Mastercard’s NuData Security. “Having customers change their passwords is a temporary fix, a band-aid that doesn’t get to the root of the problem. One effective way to stop this type of attack is to implement security solutions that detect this sophisticated automated activity at login and other placements.”

Dunkin’ plans to officially drop “Donuts” from its name in 2019, the company announced previously.

Copyright © 2019 The Washington Times, LLC. Click here for reprint permission.

The Washington Times Comment Policy

The Washington Times welcomes your comments on Spot.im, our third-party provider. Please read our Comment Policy before commenting.


Click to Read More and View Comments

Click to Hide