Dunkin' Donuts Issues Alert for Credential Stuffing Attack, Passwords Reset

Dunkin’ Donuts Issues Alert for Credential Stuffing Attack, Passwords Reset

Written by / Courtesy of Bleeping Computer

Dunkin’ Donuts has issued a security notification alerting users of their DD Perks reward program that their accounts may have been involved in a credential stuffing attack. This attack may have allowed third-parties to gain access to some of their account information

A credential stuffing attack is when attackers compile username and passwords that were leaked from previous security breaches and use those credentials to try and gain access to the accounts at other sites.

In a security notification released on February 8th, 2019, Dunkin’ Donuts states that their internal systems did not suffer a data breach, but that users of their DD Perks reward program were targeted by a credential stuffing attack. This attack could have allowed third-parties to gain access to the user accounts and see information that was stored within them.

This notification went on to state that Dunkin’ learned about the attack on January 10th, 2019 when one of their security vendors detected attempts by a third-party to gain access to customer’s DD Perks accounts.

“Beginning on or around January 10, 2019, we learned from one of our security vendors that a third-party may have attempted to log in to your DD Perks account. We believe that these third-parties obtained usernames and passwords from security breaches of other companies. These individuals then used the usernames and passwords to try to break into various online accounts across the Internet. Our security vendor was successful in stopping most of these attempts, but it is possible that these third-parties may have succeeded in logging in to your DD Perks account if you used your DD Perks username and password for accounts unrelated to Dunkin’.”

If an attacker was able to gain access to a DD Perks account, they would have been able to access the account holder’s first and last names, their email address, and the 16-digit DD Perks account number and QR code.

While Dunkin’ does not indicate that store payment information was accessed, they did state that any stored value was transferred to a new account number associated with that login name. 

For those affected, Dunkin’ forced a password reset for all DD Perks accounts that may have been affected.  This would have also caused all DD Perks users to be logged out and have to log back in when they access the account through the web or via the Dunkin’ mobile app.

Unfortunately, credential attacks like this are becoming all-too-frequent due to the increasing amount of data breaches that leak account information such as usernames and passwords. To prevent these types of attacks from affecting you, it is important to utilize passwords managers to create unique and strong passwords at every site an account is created.

Dunkin’ config for credential stuffing tool discovered

Andy Norton, the Director of Threat Intelligence for security firm LastLine, told BleepingComputer that a Dunkin’ configuration for the credential stuffing tool called SNIPR was being marketed on online criminal forums.

SNIPR is tool that makes it easy for attackers to perform credential stuffing attacks by loading configuration files for various sites.

“You can see here from Feb. 8th someone has built a “Config,” which means emulated the login process for Dunkin’ Donuts, so that they can run credential lists at the site, looking for valid logins,,” Norton told BleepingComputer via email. “All organizations should implement 2- factor authentication to protect their customers from these credential stuffing attacks, and in order to save themselves from financial loss, reputation damage or customer churn.”

Update 2/12/19 8:30 PM EST: Article updated to include information from LastLine.

Read the original article over at BleepingComputer.com.