Popular US donut brand may have been the target of cyber attack

The popular US donuts franchise, Dunkin’ Donuts, has taken precautions following a potential cyber-attack on the company’s rewards points system.

 Holders of DD Perks rewards accounts received word last month that Dunkin’ – the firm behind Dunkin’ Donuts – could have suffered a breach whereby hackers attempted to get hold of personal data and profile information.

IT specialists were alerted to the unsavoury behaviour due to an automated attack known as a “credential stuffing attack”, as opposed to there being a full breach of backend infrastructure, ZDnet reports.

Speaking to the ZDnet website, a Dunkin’ Donuts spokesperson said:

“Third-parties who obtained DD Perks account holders’ usernames and passwords through other companies’ or organisations’ security breaches may have used this information to log into certain DD Perks accounts if the account holders used the same username and password for unrelated accounts.”

The firm’s security vendors first became aware of the attack and took steps to nullify “most of these attempts”, Dunkin’ said.

However, the firm concedes that a number of the attempts to get into the system may have succeeded, hence the letter mailed to some DD Perks account holders.

Dunkin’ did not give further details on the total number of account holders that may have been impacted by the intrusion.

If successful, the hackers would have been able to obtain access to the first and last names of DD Perks account holders, their email addresses, a 16-digit DD Perks registration number and the associated QR code.

The accounts are integrated into the Dunkin’ Donuts mobile app rewards programme, enabling account holders to build up points which they can then trade for discounted or free products.

While it might not seem of great use to have access to these accounts’ details, access credentials can be sold for small sums of money on the dark web on sites dedicated to vending profiles connected to rewards programmes.

Dunkin’ Donuts claims the attack took place on October 31st, following identification of credential stuffing. The firm’s response was to enable a password reset on all potential impacted accounts, and create new registration numbers and value cards

“We also reported the incident to law enforcement and are cooperating with law enforcement to help identify and apprehend those third-parties responsible for this incident,” Dunkin’ said.


The inaugural Data Protection World Forum (DPWF) was held on November 20th & 21st 2018 at the ExCeL London and welcomed over 3,000 delegates seeking the very latest insight on data protection and privacy.

Pre-registration for DPWF 2019 will be opening in the coming weeks.

https://www.dataprotectionworldforum.com/