Dunkin’, the company behind the Dunkin’ Donuts franchise, has notified owners of DD Perks rewards accounts that a hacker might have accessed their profiles and personal data last month.
The company said it didn’t suffer an actual breach of its backend systems but only fell victim to an automated attack known in the cyber-security field as a credential stuffing attack. IT security experts commented below.
Michael Griffin, Director of Information Security at Janrain:
“Credential stuffing is an automated attack that simply attempts to login to sites with user credentials that have been stolen elsewhere or by simply guessing. The tricky part is that there is no 100% bulletproof protection against this type of attack — if an attacker happens to have the correct username and password of an account, chances are even the best-secured website or app will think it’s the real user. However, there is a lot that companies can (and should!) do to fend off such attacks; their websites and apps should be able to recognize suspicious behaviour, for example, if multiple unsuccessful login attempts occur in short period of time, or if a user based in the US suddenly attempts to login from a foreign IP address. Accounts should then require step-up authentication, meaning that the user is required to provide additional information to log in, or the account should be locked down completely to protect the user’s data.”
Jon Fielding, Managing Director at EMEA Apricorn:
“It’s clear that breach fatigue has kicked in, but security should always be front of mind. Whilst data isn’t always lost, stolen, or hacked in the same manner, the security processes in place to protect that data should be consistent. The Dunkin’ Donuts breach is a prime example of why basic security best practice should be followed at all times.
Strong password hygiene is a critical component of a security defence. When choosing a password, it should be long and complex. It should also be regularly changed and never reused, particularly to prevent credential stuffing attacks as seems to be the case in this instance.”
Ryan Wilk, VP of Customer Success for NuData Security, a Mastercard company says, “Just when you thought that hackers could not come between you and your morning coffee, they get you right in the rewards points. NuData Security has found that 90% of cyberattacks start with some sort of automation, credential stuffing being a prominent one like the one perpetrated on Dunkin’ Donuts. The software for credential stuffing is now so affordable that this type of attack is becoming accessible for almost anyone. What this means is that adversaries can automatically cycle through username and password pairs against login portals. This technique, known as credential stuffing, is a type of brute force attack whereby large sets of credentials are automatically inserted into login pages until a match with an existing account is found. Having customers change their passwords is a temporary fix, a band-aid that doesn’t get to the root of the problem. One effective way to stop this type of attack is to implement security solutions that detect this sophisticated automated activity at login and other placements. By using technologies that include behavioral biometrics, automated activity is flagged at login before it can even test any credentials in the company’s environment.”
Jeremy Cheung, Vulnerability Verification Specialist at WhiteHat Security:
“The fact that hackers were able to gain access to Dunkin’ Donuts DD Perks accounts utilizing credentials obtained from previous breaches of other applications reinforces the importance of setting a different username/password combination for every application you utilize as an end user. It is essential to practice security mindedness as you browse the web to lessen the personal impact data breaches will have on you once they occur. Some other tips you can practice to secure yourself online are:
- Utilizing multi-factor authentication on any application that supports it. This can prevent an attacker from gaining access to your account even if they determine your username/password combination
- Only log into sites that send your credentials and other sensitive information over SSL. A quick way to determine this is if the URL you are viewing is prefaced with “ https:// ”
- Whenever you’re checking your email in a web browser and are sent messages with hyperlinks, hover your mouse over the links and verify where the link is really going to take you to by looking at the URL that appears on the lower left corner of the screen. It’s possible the blue highlighted URL written in the email body is actually a disguised malicious link.”
