Coffee shop chain Dunkin’ Donuts has announced that it has become the victim of a second cyber attack within three months. It was announced yesterday by the chain that a second credential stuffing attack occurred on January 10.
As mentioned in a previous article HERE, Dunkin’ Donuts suffered a similar attack on October 31 2018. This attack was disclosed to the public in November and was found to have stolen usernames and passwords of customers.
Just like the first attack, hackers were able to gain entry to the DD Perks rewards accounts with credentials leaked from other sites. The data typically stored on these accounts includes names, email addresses, and 16 digit DD Perks account number.
It seems the hackers weren’t after the account data, but the accounts themselves. These accounts are thought to be sold on Dark Web forums.
According to several ISP security engineers, this practice of selling accounts is becoming a growing trend. They said that hacking groups are renting IoT botnets and running scripts to carry out credential stuffing attacks against a number of online services.
One script that is used in credential stuffing attacks is called SNIPR and is thought to be one of the ones being sold online for Dunkin’ Donuts attacks.
Once the hackers have broken into these accounts, they sell them to other people who then use the reward points for free food/drink and unearned discounts.
Working to Combat Attacks
In a statement from Dunkin’ Donuts they stated:
“Dunkin’ continues to work aggressively in combatting credential stuffing attacks, which have become increasingly prevalent across the retail industry given the massive volume of stolen credentials now widely available online.”
They also went onto say:
“Dunkin’s internal systems did not experience a data security breach, however, when we are made aware by our security vendors that third-parties may have obtained our customers’ usernames and passwords through other companies’ or organizations’ security breaches and potentially accessed their accounts, we immediately take action to protect the consumer by resetting their password and changing any Dunkin’ cards they may have.”
This isn’t the only attack in recent months on big businesses. Recently, HSBC, Redditt and ad blocking firm AdGuard also suffered credential stuffing attacks.