Dunkin’ Donuts is informing some of its DD Perks program members that their account information may have been exposed through a credential stuffing attack.

The incident was discovered on October 31, 2018 when the donut seller’s security vendor notified the company that some Perks accounts were being accessed by unauthorized individuals. Dunkin’ believes the hackers are using login credentials harvested from other data breaches in order gain entry to these accounts. Essentially, the Perks members used the same username and password over multiple accounts.

The exposed information includes names, email addresses and the 16-digit Perks account numbers and QR codes. In response, Dunkin’ forced a password reset of all accounts and is in the process of mailing letters to those believed affected.

“We believe that these third-parties obtained usernames and passwords from security breaches of other companies. These individuals then used the usernames and passwords to try to break into various online accounts across the internet,” Dunkin Donuts said in a statement.

The company believes only a portion of the accounts were breached, but has not cited how many people were involved.

“Credential stuffing should be a thing of the past, but unfortunately organizations are not taking the simple steps required to thwart these types of attacks. Leveraging available technologies like multi-factor authentication, device fingerprinting, and AI to detect anomalous behaviors, which then populate blacklists, are just a few steps that can be taken to protect customer data,” said Jason Bonds, VP of Sales for Ping Identity.