Dunkin’ revealed Tuesday (February 12) that hackers were able to get access to customer information via a credential stuffing attack.
According to a report in ZDNet, credential stuffing occurs when hackers use combinations of usernames and passwords that were leaked from other Websites and try to get into other accounts at different websites. ZDNet reported it marks the second time in three months hackers were able to get into Dunkin’ via credential stuffing. Dunkin’ informed customers about the first attack in November, and according to the report, is alerting customers again to the attack which happened on Jan. 10.
Hackers were able to use passwords they gleaned from other sites to get into the DD Perks rewards accounts. Once in, they can access users’ first and last names, email address, DD Perks account numbers and the DD Perks QR code. ZDNet reported the hackers aren’t going after the personal information in the rewards account but the actual account, which they are in turn selling on the dark web. Hackers reportedly put the accounts up for sale and people purchase them to use the rewards within the card to get free drinks and discounts.
Dunkin’ isn’t the only company that has fallen victim to credential stuffing attacks. AdGuard, the ad blocker company, was a victim of a similar attack in September, while HSBC was targeted in November, reported the online publication. It noted Reddit, DailyMotion and Basecamp were victims of credential stuffing attacks in January. This type of attack has been growing over the course of the past two years as scores of usernames and passwords have been shoved into the public light. In the past, the information would be tough to get — but now there data have been shared and reshared to the point that they are easily obtainable, noted the report.