Dunkin' security alert warns of new credential-stuffing attacks

A Dunkin' security alert sent to customers warned of a second round of credential stuffing attacks in less than three months.

A sample security notification message from Dunkin' to customers revealed the latest attack, which occurred more than one month ago. The Dunkin' security alert was dated Feb. 8 but noted that the company learned of the credential stuffing attack on Jan. 10 and reset passwords on affected accounts.

"Beginning on or around January 10, 2019, we learned from one of our security vendors that a third-party may have attempted to log in to your DD Perks account. We believe that these third-parties obtained usernames and passwords from security breaches of other companies," Kari McHugh, senior director of customer relations for Dunkin', wrote in the message.

She continued, "These individuals then used the usernames and passwords to try to break into various online accounts across the Internet. Our security vendor was successful in stopping most of these attempts, but it is possible that these third-parties may have succeeded in logging in to your DD Perks account if you used your DD Perks username and password for accounts unrelated to Dunkin'."

This marks the second round of credential stuffing attacks to hit the company, which is currently rebranding as Dunkin', in less than three months. In late November, a Dunkin' security alert warned customers of credential stuffing attacks that were discovered on Oct. 31.

Dunkin' did not answer questions as to why it took one month from the time each attack was discovered to notify customers, nor did they comment on what security measures have been put in place to prevent future attacks.

A Dunkin' spokesperson said in a statement that the company is working "aggressively in combatting credential stuffing attacks.

"Dunkin's internal systems did not experience a data security breach. However, when we are made aware by our security vendors that third parties may have obtained our customers' usernames and passwords through other companies' or organizations' security breaches, and potentially accessed their accounts, we immediately take action to protect the consumer by resetting their password and changing any Dunkin' cards they may have. When this becomes necessary, we provide notification letters to the affected consumers. In this case, we contacted 1,200 of our more than 10 million DD Perks members," the spokesperson said. "To protect their security, guests are encouraged to change their passwords on a regular basis and to use unique passwords from other accounts. Dunkin' has taken vigorous steps to protect our customers' data and to proactively communicate with consumers to help mitigate any threat of compromise."

As credential stuffing attacks continue to become more common, experts have become more vocal about issues of password reuse and users not using two-factor authentication as preventative measures. Additionally, services like Have I Been Pwned and Pwned Passwords -- from Troy Hunt -- help users find out if their email addresses or passwords have been part of breach data available on the dark web.