A credential stuffing attack has led to a Dunkin Donuts data breach which has seen some customer data compromised. While the breach was limited and most attempts to access customers’ DD Perks accounts were blocked, the incident does highlight the risks of password reuse.
It is unclear exactly how many customers have been affected, but for certain customers, the attackers may have gained access to their DD perks accounts – The loyalty program run by the donut company. The Dunkin Donuts data breach was limited to first and last names, email addresses, DD Perks account numbers, and QR codes.
The method used to gain access to customers DD perks accounts was unsophisticated, cheap to conduct, and in the most part can be conducted automatically. Low cost and little effort makes for a winning combination for hackers.
The Dunkin Donuts data breach did not involve internal systems and no credentials were stolen from the donut giant. Customers’ usernames (email addresses) and passwords were obtained from security breaches at other companies. Those usernames and passwords were then utilized in an automated attack on Dunkin Donuts customers’ DD Perks accounts. Dunkin Donuts has performed a password reset and affected users will be required to choose a new password. New DD Perks account numbers will be given to affected customers and their card balances will be transferred to the new account.
Since Dunkin Donuts did not expose any passwords and its systems remained secure, the only individuals that will have been affected are those that have used the same password for their DD Perks account that they have used on other online platforms.
The Risks of Password Reuse
Hackers obtain credentials from multiple data breaches, compile the data to create a list of passwords that have previously been used with a specific email address, then conduct what is known as a credential stuffing attack. Multiple login attempts are made using the different passwords associated with an email address.
The Dunkin Donuts data breach demonstrates the importance of good password hygiene and the risks of password reuse. Every user account must be secured with a strong, unique password – One that has not been used with a particular email address or username in the past and is not shared across multiple platforms.
If any online platform experiences a data breach and credentials are obtained, only the account at the breached entity will be compromised.
Naturally, using different passwords for each account means users are required to have scores of unique passwords for their work and personal accounts and remembering strong passwords can be difficult. That is why so many people reuse passwords on multiple accounts or recycle old passwords.
To avoid having to remember so many passwords it is advisable to use a password manager to generate strong passwords and store them. Of course, the password manager account must be secured with a very strong password or long pass phrase as if that account is breached, al passwords will be compromised.