Dunkin’ Donuts struck in latest credential stuffing attack

The fast-casual restaurant chain says thieves obtained username and password information belonging to customers via a credential stuffing incident.

Dunkin’ Donuts has alerted customers to a data breach that may impact those who signed up to DD Perks, the company’s loyalty program.

The fast-casual restaurant chain learned Oct. 31 that thieves obtained username and password information belonging to Dunkin’ customers via a credential stuffing incident. Those attacks occur when cybercriminals take credential information leaked in other data breaches then plug that data into other sites, targeting users who re-use the same password on multiple sites.

“Our security vendor was successful in stopping most of these attempts, but it is possible that these third-parties may have succeeded in logging in to your DD Perks account if you used your DD Perks username and password for accounts unrelated to Dunkin’,” the company said in a statement.

Compromised information included customers’ first and last names, email addresses, their 16-digit DD Perks account number and the DD Perks QR code. Dunkin’ did not disclose the number of customers who may be affected.


Hackers often trade points for corporate loyalty programs on the dark web, selling airline miles, gift cards and other perks for cryptocurrency. Credential stuffing increasingly is becoming thieves’ preferred method for acquiring that stolen data: Some companies contend with an average of 3.75 billion malicious login attempts every month, according to recent findings from the security vendor Akamai.

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts