Cyber Incident Victim: Dunkin'

On October 31, 2018, Dunkin' Donuts detected unauthorized attempts to access customer accounts within its DD Perks rewards program. The company identified these attempts as part of a credential stuffing attack, where attackers used automated login requests with username and password combinations obtained from security breaches of unrelated third-party companies. The targeted information included customers' first and last names, email addresses, 16-digit DD Perks account numbers, and DD Perks QR codes. Dunkin' Brands Inc. confirmed that its internal systems were not compromised during this incident, emphasizing that the attackers relied exclusively on credentials sourced from external breaches. The company engaged a security vendor to mitigate the attack, which successfully blocked most unauthorized access attempts. However, Dunkin' acknowledged that some DD Perks accounts may have been compromised despite these efforts.

In response to the incident, Dunkin' Donuts initiated a forced password reset for all potentially affected DD Perks accounts on November 29, 2018, requiring users to log out and create new passwords to regain access. The company publicly disclosed the breach the same day via an advisory on its website, attributing the attack to widespread credential reuse across multiple platforms. Credential stuffing was described as an increasingly common attack method due to the affordability of automation tools, with industry data indicating such techniques underpinned 90% of cyberattacks at the time. Dunkin’ reiterated that no financial data or Social Security numbers were exposed, as these were not stored in DD Perks accounts. The incident highlighted risks associated with password reuse, though Dunkin’ implemented no additional security measures beyond the password reset and vendor-assisted mitigation during the documented timeline.