Cyber Incident Victim: Dunkin'

In early 2019, Dunkin' Donuts experienced its second credential stuffing attack targeting DD Perks rewards accounts within three months, following a similar incident in late 2018. Attackers utilized username and password combinations previously leaked from unrelated third-party breaches to automate unauthorized access attempts against Dunkin' accounts. The threat actors employed a script called SNIPR, specifically configured to target Dunkin's login page, as evidenced by dark web forum advertisements shared with security researchers. Upon successful logins, attackers compromised approximately 1,200 accounts from the platform's 10 million DD Perks members. The compromised accounts contained customers' first and last names, email addresses (used as usernames), 16-digit account numbers, and QR codes used for redemption. Rather than stealing personal data, attackers focused on monetizing account access by selling credentials on underground forums, enabling buyers to fraudulently redeem accumulated rewards points for free beverages and discounts at physical Dunkin' locations.

Dunkin' Donuts detected the intrusion through security vendor partnerships and promptly reset passwords for affected accounts while invalidating associated payment cards. The company emphasized that its internal systems remained uncompromised, attributing the breach solely to credential reuse from external breaches. Notification letters were dispatched to all 1,200 impacted customers. Dunkin' characterized the attack as part of an industry-wide escalation of credential stuffing fueled by the widespread availability of billions of exposed credentials across the internet. This incident mirrored contemporaneous attacks against AdGuard, HSBC, Reddit, DailyMotion, Deliveroo, and Basecamp, reflecting broader criminal trends where threat actors leveraged IoT botnets and automated scripts to exploit recycled credentials at scale across multiple retail and service platforms.