Dunkin' Customers' Data Compromised, Company Announces
Dunkin', the company behind the Dunkin' Donuts franchise, cautioned holders of its DD Perks rewards accounts that their accounts may have been compromised. Though the company did not reveal how many user accounts might have possibly been compromised, it started investigating the data breach.
The coffee and baked goods chain also informed the users to reset their passwords as a precautionary measure. According to a report by ZDNet, Dunkin' released a statement saying the company didn't suffer an actual breach of its backend system but only fell prey to an automated attack, known in the cybersecurity field as a credential stuffing attack — where stolen account credentials are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application.
DD Perks is a customer loyalty program that lets users order on-the-go and accumulate points that can be traded in for free beverages.
"Although Dunkin’s internal systems did not experience a data security breach, we were informed by one of our security vendors that third-parties who obtained DD Perks account holders’ usernames and passwords through other companies’ or organizations’ security breaches may have used this information to log into certain DD Perks accounts if the account holders used the same username and password for unrelated accounts. Dunkin’ forced a password reset that required potentially impacted DD Perks account holders to log out and log back into their account using a new password. To protect their security, guests are encouraged to change their passwords on a regular basis," the Dunkin' statement said.
The information that the hackers might have obtained if they gained access to DD Perks account included users' first and last names, email addresses, the 16-digit Perks account numbers, and the DD Perks QR codes. The company was working with its security vendor to help prevent such similar incidences in the future.
"We also reported the incident to law enforcement and are cooperating with law enforcement to help identify and apprehend those third-parties responsible for this incident," Dunkin' told ZDNet.
Obtaining the reward points accounts' details might seem bizarre, but reward points are sold on black market platforms on the dark web for a few dollars or in exchange for cryptocurrencies. Recently, it was found that frequent flyer miles — loyalty points offered by airlines which can be redeemed for tickets or other bookings — were being sold by cybercriminals on the dark web. Once the credentials were obtained, the hackers would "sell the hacked account or transfer the miles into another account."
Shares of Dunkin' Brands Group closed 1.97 percent higher Wednesday on Nasdaq, underperforming the overall Nasdaq Composite Index, which closed with a rise of 2.95 percent Wednesday.
© Copyright IBTimes 2024. All rights reserved.