What makes this issue even worse is the fact that the hackers were able to breach the system in exactly the same way they did three months ago. They used a technique known as Credential Stuffing.
It’s not a sophisticated form of attack, but it is surprisingly effective. Basically, hackers will take combinations of user names and passwords gleaned from other data breaches and try them to see if any work on other sites.
It’s effective, because to this day, a shocking percentage of people use the same password across multiple web properties. That’s even if their user names vary slightly. Unfortunately, when a hacker gains access to a DD Perks account, he or she can see all the details of that user’s profile, which include the user’s first name, last name, email address, and their DD Perks account code.
While that’s not enough on its own to steal someone’s identity, the information certainly has value on the Dark Web, and is probably being sold there as you’re reading these words. Of course, it also allows the hackers, or anyone who buys the account information, to start using the victim’s hard-earned DD Perks points, getting freebies for themselves and denying them to the rightful account holder.
A Dunkin’ Donuts spokesman had this to say about the matter: “Dunkin’ continues to work aggressively in combatting credential stuffing attacks, which have become increasingly prevalent across the retail industry given the massive volume of stolen credentials now widely available online.”
The spokesman reiterated that this was not a breach of the company’s system, but of course, that’s small consolation to those who have had their accounts compromised.