In 2015, hackers used stolen usernames and passwords to steal tens of thousands of dollars from accounts through Dunkin’s website and mobile app over a five-day period. A lawsuit was filed by the state of New York claiming that Dunkin failed to take the appropriate action in response to the cyberattack that targeted customer’s data, and a settlement has been reached in which Dunkin Brands, Inc. has agreed to pay $650,000 to settle the data breach lawsuit.
Nearly 20,000 Dunkin’ Donuts reward loyalty accounts were compromised over the period of just five days. Not only were thousands of dollars stolen from the accounts, but it also resulted in the data leak of almost 300,000 additional accounts.
The hack compromised DD Perks members, and it is believed that third parties obtained usernames and passwords from security breaches at other companies and used the stolen credentials to break into various accounts across the Internet including the 20,000 DD Perks accounts.
This type of attack is called a Credential Stuffing, a cyberattack method in which attackers use a list of compromised user credentials to break into systems. The attackers typically use automation and scale to reuse the username and passwords across multiple services.
Even when a third-party app developer notified the company of the data breach, Dunkin’ failed to notify customers or upgrade its security, according to the lawsuit.
Additionally, when Dunkin’ was made aware of the breach, they failed to implement appropriate safeguards to limit additional attacks. The New York Attorney General’s office also accused Dunkin’ of violating consumer protection laws by misrepresenting to consumers that it used safeguards to protect customer’s personal information.
In addition to the $650,000 fine, Dunkin’ Donuts will be required to notify and refund all customers impacted by the data breach and upgrade their security systems.
With Credential Stuffing attacks, other company’s failed security protocols affect other companies when customers use the same username and password combination across multiple accounts.
To make it harder for cybercriminals to use credential stuffing attacks, it is important to generate unique, complex, and different passwords for online accounts and to enable multi-factor authentication to stop an attack.