For the second time in three months, Dunkin' Donuts has been the target of credential stuffing attacks.
While Dunkin’ didn’t experience an internal breach, its aid in a notification letter that “third-parties obtained usernames and passwords through other companies’ security breaches and used this information to log into some Dunkin’ DD Perks accounts.”
The company said it was alerted on Jan. 10 by one of its security vendors that hackers might have tried to log in to DD Perks accounts. “We believe that these third-parties obtained usernames and passwords from security breaches of other companies” and then used the credentials “to try to break in to various online accounts across the Internet.” While the donut chain’s security vendor successfully stopped most attempts, the company warned customers that the miscreants might have succeeded in some cases and accessed information that customers might have included in their Perks accounts like account numbers, QR codes, names and email addresses.
“There are ‘combos’ being dumped onto various sites on a daily basis.Combos are essentially emails and their respective passwords,” Lastline Director of Threat Intelligence Andy Norton. “These lists, are then taken and loaded into a tool like Snipr [used to automate credential stuffing attacks], which then connects to specified websites, and tries to match each combo with the website. When this happens the combo is then sold as a valid credential for the website.”
Norton explained that someone had “built a ‘Config,’ which means emulated the login process for Dunkin’ Donuts, so that they can run credential lists at the site, looking for valid logins.
The first attack last fall exposed information includes names, email addresses and the 16-digit Perks account numbers and QR codes. In response, Dunkin’ forced a password reset of all accounts and is in the process of mailing letters to those believed affected.
The latest incident prompted Dunkin’ Donuts to again force a password reset and take "steps to replace any DD Perks stored value cards with a new account number, but retaining the same value that was previously present on those cards.”
The most recent “credential stuffing attack impacting Dunkin’ Donuts accounts highlights hackers’ priorities today: access,” said Ben Johnson, CTO and co-founder of Obsidian Security. “Any exposure of usernames or passwords carries massive implications with it given rampant password re-use.”
Organizations must take a more urgent approach to defending not only their own identities but those of their customers as well, since “attackers would rather use a compromised account than attempt technical exploitation,” said Johnson. “And to lessen the risk, consumers need to use a password manager, enable multifactor authentication when possible, and never, ever, reuse a password.”
He urged organizations to implement two-factor authentication (2fa) to not only “protect their customers from these credential stuffing attacks” but to “save themselves from financial loss, reputation damage or customer churn” as well.