[BreachExchange] Incident Of The Week: Dunkin’ Donuts Reports Credential Stuffing Attack

[Destry Winant]

https://www.cshub.com/attacks/articles/incident-of-the-week-dunkin-donuts-reports-credential-stuffing-attack

For the second time in three months, hacked accounts are being sold on
Dark Web forums

Dunkin’ Donuts first reported a credential stuffing attack at the end
of November last year, and is now notifying users of more account
breaches following a new attack. This attack, which happened in
January, is similar to the first in where hackers leveraged user
credentials leaked at other sites to enter DD Perks rewards accounts.

The type of information stored in a DD Perks account, which provides
repeat customers a way to earn points and get free merchandise or
discounts, includes the user’s first and last names, emails
(usernames) and a 16-digit DD Perks account number and QR code.

According to ZDNet, the hackers weren’t after users’ personal
information stored in the rewards accounts; instead, they were after
the account itself in order to sell on Dark Web forums.

Credential Stuffing On The Rise

Recent Akamai research shows that credential stuffing attacks are on
the rise specifically for the retail and financial industries because
of how easy it is to implement these automated assaults; “mobile and
website interfaces and operating systems are kept at a minimum as
lengthy loading time is seen to be a deterrence to customers’ and
legitimate users’ online experiences.”

Further, the research notes that “both consumers and employees tend to
recycle the same email and password combinations for multiple online
accounts, as well as companies’ continued use of outdated or
unsupported versions of operating systems. In the middle of these
factors are organization employees’ and established systems’ inability
to differentiate valid users accessing their respective accounts as
opposed to criminal users.”

Putting The Breach In Perspective

For now Dunkin,’ hackers are putting up the hacked accounts for sale,
which are later being bought and used for reward points found in these
accounts. However, the implications could have been more serious if
hackers decided to exploit them by extracting personal information and
reselling that data to financial fraud operators, etc.

"Dunkin' continues to work aggressively in combatting credential
stuffing attacks, which have become increasingly prevalent across the
retail industry given the massive volume of stolen credentials now
widely available online," a spokesperson told ZDNet via email.

Dunkin’ further said that their internal systems did not experience a
data security breach, however, when they were made aware by security
vendors that third-parties may have obtained user data, they
immediately reset their passwords and changed their Perks cards.

"When this becomes necessary, we provide notification letters to the
affected consumers. In this case, we contacted 1,200 of our more than
10 million DD Perks members," the company said, putting the most
recent breach in perspective.

Tips To Prevent Credential Stuffing Attack

According to advice from Trend Micro, here are some ways to strengthen
security against these types of attacks:

- Practice good password hygiene. Avoid reusing the same email and
password combination for multiple online accounts, and change your
access credentials frequently.
- Enable two-factor authentication (2FA) whenever possible. Layered
protection is always better than single access authentication.
- Regularly download updates from legitimate vendors.
- Observe your network traffic and system. A significant increase in
network inquiries, access, or slowdowns may indicate an attack. Run
security software to find and remove malware infection.