Credential-stuffing attack compromises Dunkin’ Donuts member accounts
29 November 2018
An unspecified number of accounts belonging to subscribers of Dunkin’, the owner of the Dunkin’ Donuts franchise, was reportedly compromised on October 31st after cyber criminals carried out credential-studding attacks on the company’s website using credentials stolen from other organisations.
Several Dunkin’ rewards accounts compromised
In a notification to affected DD Perks rewards account holders, Dunkin’ said that it did not suffer any data breach but credential-stuffing attacks launched by hackers may have compromised accounts of members who used the same credentials to log in to accounts with other organisations.
The attack was detected by a third party security vendor who was successful in stopping most of such credential-stuffing attempts. It is believed that full names, email addresses, 16-digit DD Perks account numbers and DD Perks QR codes associated with certain member accounts may have been compomised as a result of the attack.
In order to protect affected members, Dunkin’ immediately reset passwords of all member accounts and replaced impacted DD Perks account numbers and value cards.
Password reuse a major reason behind the compromise
Adam Brown, manager of security solutions at Synopsys, told TEISS that the credential-stuffing attack on the Dunkin’ website is a good example of why password re-use is a really bad thing, and the affected users should take some of the blame for that.
“Dunkin’ has done nothing wrong, but someone else has leaked some very sensitive information – usernames, email addresses and passwords. That means any victims in that list that re-use the same password can be considered breached. In addition, the organisation that owned the leaked data could expect some privacy fines or actions.”
He added that while the affected customers should now wisen up and use unique passwords for different accounts or use password managers, Dunkin’ could have stopped the compromise of several member accounts had it implemented two-factor authentication. However, since the loss of reward points can be considered a lower risk, it is debatable whether 2FA, which affects usability and convenience, is a necessary control in this case.
Ryan Wilk, vice president at NuData Security, said that having customers change their passwords is a temporary fix, a band-aid that doesn’t get to the root of the problem.
“One effective way to stop this type of attack is to implement security solutions that detect this sophisticated automated activity at login and other placements. By using technologies that include behavioural biometrics, automated activity is flagged at login before it can even test any credentials in the company’s environment,” he added.