Dunkin’ Data Breach Highlights Third-Party Risks

DD Perks account holders found themselves the victims of a security breach that exposed their personal information.

DD Perks is a program Dunkin’ offers its customers to place orders and earn rewards points for their purchases.

On October 31, Dunkin’s security team identified someone was accessing DD Perks accounts without authorization. It is believed they were able access the accounts after obtaining usernames and passwords from security breaches at companies unrelated to Dunkin’.

Dunkin’ is not revealing the number of affected customers but they have said that user’s first and last names, email address, and DD Perks account number may have been skimmed by the hackers.

Dunkin’s security team was able to prevent most of the fraudulent login attempts to users accounts but they admit it’s possible that some attempts may have been successful.

This may not seem like a big deal, but markets exist for just this type of information. It’s common to find access to airline and hotel rewards programs being sold on the dark web.

An even bigger concern exists for DD Perks account holders that reused their DD Perks username and passwords on different platforms. With usernames and passwords in hand, the individuals with the stolen login information will attempt to sign in to different online accounts across the internet. An attack known as credential stuffing.

If you used a work email and password to create your DD Perks account, you could be putting your whole organization at risk of a future data breach. To find out if you or your organization’s usernames and passwords are being sold on the dark web consider running a dark web analysis.