In early 2015, hackers successfully compromised the online accounts of Dunkin’ Donuts customers.
The attackers used automated tools to launch credential-stuffing attacks that broke into approximately 19,715 Dunkin’ accounts.
Credential-stuffing attacks exploit the fact that many legitimate account owners use passwords that they had previously used elsewhere on the internet. (As I say over-and-over again, you should never reuse your passwords. It’s a recipe for disaster.)
The upshot was that the hackers were able to gain access to users’ loyalty card details. including:
First and last name
Email address
16-digit DD Perks account number
PIN
and in some cases, account balance.
These details were then sold on via the computer crime underground to others who were all too happy to use the cash stored on the cards to buy “free” sugar-coated treats and snacks from Dunkin’ Donuts stores.
Fortunately, Dunkin’ Donuts was informed of the security breach by its then-mobile app vendor.
Unfortunately, Dunkin’ Donuts didn’t do anything about it.
Yup, despite repeated warnings and its app developer even providing a list of the almost 20,000 customer accounts that had been compromised over just a sample five-day period, Dunkin’ failed to investigate whether other accounts might have been compromised, what customer details might have been stolen, and if customer funds had been slurped up during the security breach.
Sign up to our newsletterSecurity news, advice, and tips.
Moreover, Dunkin’ Donuts:
Didn’t tell the almost 20,000 customers that their accounts had been compromised.
Didn’t reset affected users’ passwords to prevent further unauthorised access.
Didn’t freeze the funds on compromised loyalty cards.
And, it didn’t put additional security in place to he ..
Support the originator by clicking the read the rest link below.
