Dunkin’ Donuts has announced that it was the victim of a credential stuffing attack during which hackers gained access to customer accounts. This marks the second time in three months that the coffee shop chain notifies users of account breaches following credential stuffing attacks.
Experts Comments below:
Stephen Moore, Chief Security Strategist at Exabeam:
To protect against these types of attacks, organisations must shift the enterprise security strategy. To remediate incidents involving user credentials and respond to adversaries, the key is to move fast and consider an approach that is closely aligned with monitoring user behaviour – to provide the necessary visibility needed to restore trust, and react in real time, to protect user accounts. This should include the ability to detect, using behavioural characteristics, when events have occurred – especially when it comes to customer–facing incidents.”
Tim Bandos, Vice President of Cyber Security at Digital Guardian:
“In situations like this, the practice of good password hygiene becomes critical otherwise you’re putting sensitive accounts and credentials at risk. We know that in addition to credit cards, email addresses and PII, password credentials are highly sought-after by cybercriminals – so use a different password for each of your online accounts. Make sure your passwords are unique and complex to ensure that hackers cannot guess them. If you’re notified that your account has been comprised, change your password immediately. Lastly, where possible, enable multi-factor authentication. Popular websites like Facebook, Gmail and Skype all offer this service.”
Steve Armstrong, Regional Director UK, Ireland & South Africa at Bitglass:
Bryan Becker, Application Security Researcher at WhiteHat Security:
Utilizing multi-factor authentication on any application that supports it. This can prevent an attacker from gaining access to your account even if they determine your username/password combination
Only log into sites that send your credentials and other sensitive information over SSL. A quick way to determine this is if the URL you are viewing is prefaced with ‘https://’
Whenever you’re checking your email in a web browser and are sent messages with hyperlinks, hover your mouse over the links and verify where the link is really going to take you to by looking at the URL that appears on the lower left corner of the screen. It’s possible the blue highlighted URL written in the email body is actually a disguised malicious link.”
Aaron Zander, Head of IT at HackerOne:
If the bad actors scripting this are smart, they are usually just sending a few login requests from each IP and moving onto a new one. When cyber criminals are testing lists they aren’t manually entering credentials one by one unless it is from a really targeted spear phishing campaign. Instead, they are usually running scripts that try hundreds or thousands of logins practically at once, stemming from any number of leaked emails and passwords from breaches in the past. Terabytes of data exist out there, millions and millions of emails and passwords; capitalizing on the password entropy problem that plagues our digital age. That password we used hundreds of times in the early 2000’s has come back to haunt us.
Users can protect themselves with password managers, but it’s up to the operators of websites and apps to prevent themselves from becoming testbeds for valid credentials. Preventing one person or one IP from submitting more than just a handful of logins or even the same one is important, both in the total amount they are trying and how fast they can submit. Using tools like captcha, email magic links, rate limiting, browser detection, and in general thinking about how a login page can be abused can all contribute to removing a website from the field of play for credential testing/stuffing.”
Paul Walker, Technical Director at One Identity, explains how to mitigate this kind of threats and
“Breaches of databases are inevitable: they are going to happen. These breaches sometimes release usernames and passwords, either plaintext or hashes, into the wild world dark web. The hackers then target well known consumer websites with those credentials, hoping to find an account with a stored credit card for example, or an account with one-click-buy enabled. Credential stuffing can be mitigated by adopting good password hygiene: not using the same password for multiple websites and enabling multi-factor authentication can stop criminals from gaining access to more sensitive accounts and can go a long way in preventing the success of this kind of attacks.”