America might run on Dunkin'

Dunkin' Donuts has just taken another big hit.  For the second time in recent months, hackers have gained access to an unknown number of DD Perks user accounts.

What makes this issue even worse is the fact that the hackers were able to breach the system in exactly the same way they did three months ago.  They used a technique known as Credential Stuffing.

What did they get?

It's not a sophisticated form of attack, but it is surprisingly effective.  Basically, hackers will take combinations of user names and passwords gleaned from other data breaches and try them to see if any work on other sites.

It's effective, because to this day, a shocking percentage of people use the same password across multiple web properties. That's even if their user names vary slightly.  Unfortunately, when a hacker gains access to a DD Perks account, he or she can see all the details of that user's profile, which include the user's first name, last name, email address, and their DD Perks account code.

While that's not enough on its own to steal someone's identity, the information certainly has value on the Dark Web, and is probably being sold there as you're reading these words.  Of course, it also allows the hackers, or anyone who buys the account information, to start using the victim's hard-earned DD Perks points, getting freebies for themselves and denying them to the rightful account holder.

A Dunkin' Donuts spokesman had this to say about the matter: "Dunkin' continues to work aggressively in combatting credential stuffing attacks, which have become increasingly prevalent across the retail industry given the massive volume of stolen credentials now widely available online."

Our perspective

The spokesman reiterated that this was not a breach of the company's system, but of course, that's small consolation to those who have had their accounts compromised.


The author

Thanks for reading this short post. For more tips on thriving with small business technology, check out the other blog posts at DWPia Blogs. I am also available at dwpia on LinkedIn, at dwpia on Facebook, and @dwpia on Twitter.

Cybersecurity Expert, Small Business Technology Consultant, Managed Services Provider, Managed IT Support

Denis S Wilson

I am President and Principal Consultant for DWP Information Architects: specializing in managed IT support for smaller healthcare practices, clinics, insurance companies, and nonprofit companies in Ventura County and San Fernando Valley. And have created cost-effective IT solutions, for over 20 years, specializing in cybersecurity and regulatory compliance.

I am also a published author and speaker, working extensively with organizations that include: the State of California, the Federal Bureau of Investigation (FBI), the Small Business Administration (SBA), SCORE, Women's Business Centers, and Small Business Development Centers. As well as providing small business technology education programs through business and professional associations.

Contact me if you would like me to speak at your meeting.

Meanwhile, check out this report

Executive Report: 10 Hidden IT Risks That Might Threaten Your Business