Dunkin' Donuts accounts may have been hacked in credential stuffing attack

Hackers were after user accounts in the company's rewards points program.

Dunkin', the company behind the Dunkin' Donuts franchise, has notified owners of DD Perks rewards accounts that a hacker might have accessed their profiles and personal data last month.

The company said it didn't suffer an actual breach of its backend systems but only fell victim to an automated attack known in the cyber-security field as a credential stuffing attack.

"Third-parties who obtained DD Perks account holders' usernames and passwords through other companies' or organizations' security breaches may have used this information to log into certain DD Perks accounts if the account holders used the same username and password for unrelated accounts," a Dunkin' Donuts spokesperson told ZDNet today.

    Also: Cathay Pacific breach leaks personal data on 9.4 million people CNET

    The company said it learned of the attack from one of its security vendors, which, Dunkin' said "was successful in stopping most of these attempts."

    But the company admits that some of these rogue login attempts might have succeeded --hence the reason it sent out notification letters to "certain" DD Perks account holders.

    The company did not reveal the number of affected customers after ZDNet inquired about the breach's impact earlier today.

    The type of information hackers might have obtained if they gained access to DD Perks accounts include a user's first and last names, email address (also used as username), a 16-digit DD Perks account number, and a DD Perks QR code.

    DD Perks accounts are part of the Dunkin' Donuts mobile app rewards program, and allow users to gain points based on which they can receive free or discounted products.

      Also: Why 31% of data breaches lead to employees getting fired TechRepublic

      Access to these accounts might seem useless, but there are underground or dark web portals where access to various rewards programs is sold for a few dollars. While this reporter hasn't seen access to Dunkin' Donuts accounts, these portals usually sell access to airline, hotel, or bed-and-breakfast rewards programs on a regular basis.

      Following the detection of the credentials stuffing attack, which Dunkin' says happened on October 31, the company forced a password reset, but also replaced impacted DD Perks account numbers and value cards.

      "We also reported the incident to law enforcement and are cooperating with law enforcement to help identify and apprehend those third-parties responsible for this incident," Dunkin' said.

      Related stories: