Dunkin' Donuts accounts compromised in second credential stuffing attack in three months

Hacked Dunkin' Donuts accounts are now being sold on Dark Web forums.
Written by Catalin Cimpanu, Contributor

Dunkin' Donuts announced today that it was the victim of a credential stuffing attack during which hackers gained access to customer accounts.

This marks the second time in three months that the coffee shop chain notifies users of account breaches following credential stuffing attacks.

Credentials stuffing is a cyber-security term that describes a type of cyber-attack where hackers take combinations of usernames and passwords leaked at other sites and use them to gain (illegal) access on accounts on new sites.

Dunkin' Donuts reported a first credential stuffing attack at the end of November (the actual attack occurred on October 31). Today, the company reported a second credential stuffing attack (attack happened on January 10).

Just like in the first, hackers used user credentials leaked at other sites to gain entry to DD Perks rewards accounts, which provide repeat customers with a way to earn points and use them to get free beverages or discounts for other Dunkin' Donuts products.

The type of information typically stored inside a DD Perks account includes a user's first and last names, email address (also used as username), a 16-digit DD Perks account number, and a DD Perks QR code.

But hackers weren't after users' personal information stored in Dunkin' Donuts rewards accounts. Instead, they were after the account itself, which they are selling on Dark Web forums, according to a screenshot shared with ZDNet by AI-powered network security company Lastline.

Dunkin Donuts account seller
Image: Lastline (provided)

During online conversations and phone calls over the past few months with this reporter, several security engineers at American ISPs (who couldn't share their names due to non-disclosure agreements) have previously told ZDNet about this is a growing trend in the cyber-criminal undergrounds. According to our sources, hacker groups are renting IoT botnets and running scripts to carry out credential stuffing attacks against a wide range of online services.

One of the scripts that they use to automate credential stuffing attacks is called SNIPR.

Andy Norton, Director of Threat Intelligence at Lastline, shared with ZDNet a screenshot of an ad on a hacking forum where a threat actor was selling a SNIPR config specifically for attacking the Dunkin' Donuts login page.

Dunkin Donuts SNIPR config ad
Image: Lastline (provided)

Once hackers break into accounts, they either exploit them by extracting personal information from accounts and reselling the personal data to financial fraud operators, or they sell access to the hacked accounts themselves.

This latter case is what's happening with Dunkin' Donuts accounts, as hackers put up the hacked accounts for sale, which are later bought by other persons that use the reward points found in these accounts at Dunkin' Donuts shops to receive unearned discounts and free beverages.

"Dunkin' continues to work aggressively in combatting credential stuffing attacks, which have become increasingly prevalent across the retail industry given the massive volume of stolen credentials now widely available online," a spokesperson told ZDNet via email.

"Dunkin's internal systems did not experience a data security breach, however, when we are made aware by our security vendors that third-parties may have obtained our customers' usernames and passwords through other companies' or organizations' security breaches and potentially accessed their accounts, we immediately take action to protect the consumer by resetting their password and changing any Dunkin' cards they may have.

"When this becomes necessary, we provide notification letters to the affected consumers. In this case, we contacted 1,200 of our more than 10 million DD Perks members," the company said, putting the most recent breach in perspective.

Dunkin' Donuts isn't the only company that has suffered a credential stuffing attack in the past few months. Ad blocker company AdGuard suffered one in September 2018; banking giant HSBC in November; but also Reddit, DailyMotion, Deliveroo, and Basecamp last month.

Credential stuffing attacks have become a big issue for online service providers in the past two years after billions of username and password combinations have gradually made their way into the public domain.

While initially these username-password combos were hard to get by because they were being sold online on well-hidden hacking forums, recently, they've been shared and re-shared so much that they're now generally available to anyone who knows how to use a search engine and has the time to dig through search results for still-working download links.

Article updated on February 12 with information about the SNIPR config ad and a statement from Dunkin' Donuts.

Data leaks: The most common sources

More data breach coverage:

Editorial standards