Attackers Run on Dunkin's DD Perks Rewards

Boston-based Dunkin’, the brand formerly known as Dunkin Donuts, has released a warning to its customers stating that DD Perks reward account holders were potentially hacked by a third party in a credential-stuffing attack wherein hackers were trying to steal the rewards points to sell and trade them on the dark web. The incident was discovered on October 31, 2018, by one of Dunkin’s security vendors, and it is believed that malicious third-party actors used credentials stolen from other breaches to access user accounts. According to a statement shared with Infosecurity Magazine by a Dunkin’ spokesperson, “Dunkin’ Brands has issued notification letters to certain DD Perks account holders who may have experienced unauthorized access to their accounts.” Additionally, the company's incident advisory warned that the attackers might have accessed the first and last names of impacted account holders, along with their email addresses and 16-digit DD Perks account number and their DD Perks QR code. Dunkin’ said it forced a password reset so that all potentially affected account holders would have to log out and use a new password to log back in to their accounts.