Dunkin’ Donuts has just released a statement that their DD Perks member accounts were breached by a third-party entity. This data breach was discovered a few weeks ago on October 31st. While the company is still investigating, it has been discovered that the third-party used usernames and passwords stolen from previous security breaches involving other organizations. Known as a credential stuffing attack; the hackers then entered those usernames and passwords into DD Perks’ accounts. This breach was discovered quickly, as Dunkin’s security vendor did stop many of the login attempts, although many were successful.
Dunkin released the following statement:
Although Dunkin’ did not experience a data security breach involving its internal systems, we’ve been informed that third-parties obtained usernames and passwords through other companies’ security breaches and used this information to log into some Dunkin’ DD Perks accounts. One of these may have been your account and we want you to know what happened, as well as the steps we are taking to protect your personal information.
Dunkin has warned that the accounts compromised may have released names, email addresses, DD Perks account numbers, and DD Perks QR codes. Although these accounts do not give away PII or credit card information, members should still be concerned. Account members should immediately change their usernames and passwords. It is highly possible that the third-party has also attempted to login using the usernames and passwords into other accounts. Therefore, all users using the same passwords for multiple accounts should immediately change their passwords.
When creating an account online, it is critical you use unique passwords each time. Otherwise, in a data breach once your username and password are obtained, hackers are then able to access your other accounts. Potentially gaining access to your social security numbers, credit card, or banking information.
Image credits: Dunkin Brands Inc.
Third-party breaches are on the rise and are the primary reasons for data breaches against large organizations. If you are concerned about third-party threats contact LIFARS advisory solutions.