ZedNet reports how Dunkin’ Donuts introduced right now that it was the sufferer of a credential stuffing assault throughout which hackers gained entry to buyer accounts.
This marks the second time in three months that the espresso store chain notifies customers of account breaches following credential stuffing assaults.
Credentials stuffing is a cyber-security time period that describes a sort of cyber-attack the place hackers take combos of usernames and passwords leaked at different websites and use them to realize (unlawful) entry on accounts on new websites.
Dunkin’ Donuts reported a first credential stuffing attack on the finish of November (the precise assault occurred on October 31). Right this moment, the corporate reported a second credential stuffing assault (assault occurred on January 10).
Similar to within the first, hackers used consumer credentials leaked at different websites to realize entry to DD Perks rewards accounts, which give repeat prospects with a strategy to earn factors and use them to get free drinks or reductions for different Dunkin’ Donuts merchandise.
The kind of data usually saved inside a DD Perks account features a consumer’s first and final names, electronic mail tackle (additionally used as username), a 16-digit DD Perks account quantity, and a DD Perks QR code.
However hackers weren’t after customers’ private data saved in Dunkin’ Donuts rewards accounts. As an alternative, they have been after the account itself, which they’re promoting on Darkish Net boards, in response to a screenshot shared with ZDNet by menace intel agency Lastline. Dunkin Donuts account seller
Throughout on-line conversations and cellphone calls over the previous few months with this reporter, a number of safety engineers at American ISPs (who could not share their names as a consequence of non-disclosure agreements) have beforehand informed ZDNet about this rising development within the cyber-criminal undergrounds. In line with our sources, hacker teams are renting IoT botnets and operating scripts to hold out credential stuffing assaults towards a variety of on-line companies.
As soon as hackers break into accounts, they both exploit them by extracting private data from accounts and reselling the private information to monetary fraud operators, or they promote entry to the hacked accounts themselves.
This latter case is what’s occurring with Dunkin’ Donuts accounts, as hackers put up the hacked accounts on the market, that are later purchased by different individuals that use the reward factors present in these accounts at Dunkin’ Donuts outlets to obtain unearned reductions and free drinks.
A Dunkin’ Donuts spokesperson didn’t reply a request for remark earlier than this text’s publication.
Dunkin’ Donuts is not the one firm that has suffered a credential stuffing assault up to now few months. Advert blocker firm AdGuard suffered one in September 2018; banking big HSBC in November; but additionally Reddit, DailyMotion, and Basecamp final month.
Credential stuffing assaults have change into a giant problem for on-line service suppliers up to now two years after billions of username and password combinations have step by step made their approach into the general public area.
Whereas initially these username-password combos have been arduous to get by as a result of they have been being offered on-line on well-hidden hacking boards, not too long ago, they have been shared and re-shared a lot that they are now usually accessible to anybody who is aware of how one can use a search engine and has the time to dig by means of search outcomes for still-working obtain hyperlinks.