The Dunkin’ Donuts data breach leaves a very bad taste in the mouth

Graham Cluley
@gcluley

In early 2015, hackers successfully compromised the online accounts of Dunkin’ Donuts customers.

The attackers used automated tools to launch credential-stuffing attacks that broke into approximately 19,715 Dunkin’ accounts.

Credential-stuffing attacks exploit the fact that many legitimate account owners use passwords that they had previously used elsewhere on the internet. (As I say over-and-over again, you should never reuse your passwords. It’s a recipe for disaster.)

The upshot was that the hackers were able to gain access to users’ loyalty card details. including:

  • First and last name
  • Email address
  • 16-digit DD Perks account number
  • PIN
  • and in some cases, account balance.

These details were then sold on via the computer crime underground to others who were all too happy to use the cash stored on the cards to buy “free” sugar-coated treats and snacks from Dunkin’ Donuts stores.

Fortunately, Dunkin’ Donuts was informed of the security breach by its then-mobile app vendor.

Unfortunately, Dunkin’ Donuts didn’t do anything about it.

Yup, despite repeated warnings and its app developer even providing a list of the almost 20,000 customer accounts that had been compromised over just a sample five-day period, Dunkin’ failed to investigate whether other accounts might have been compromised, what customer details might have been stolen, and if customer funds had been slurped up during the security breach.

Sign up to our newsletter
Security news, advice, and tips.

Moreover, Dunkin’ Donuts:

  • Didn’t tell the almost 20,000 customers that their accounts had been compromised.
  • Didn’t reset affected users’ passwords to prevent further unauthorised access.
  • Didn’t freeze the funds on compromised loyalty cards.

And, it didn’t put additional security in place to help prevent further attacks occurring in the future. Which was a shame, because it appears the breaches continued to happen for years.

In fact, it took until November 2018 for Dunkin’ Donuts to announce publicly that it had suffered a credential stuffing attack, and force a password reset. That’s three years after being initially informed.

In February 2019, Dunkin’ Donuts revealed that its loyalty program had again been hit by a credential-stuffing attack.

In a data breach notification, the company said:

“Our security vendor was successful in stopping most of these attempts, but it is possible that these third-parties may have succeeded in logging in to your DD Perks account if you used your DD Perks username and password for accounts unrelated to Dunkin’.”

What Dunkin’ Donuts should have done back in 2015 is informed its customers of the problem, reset passwords, introduced systems to spot when there is a huge spike in failed logins as hackers launch their credential stuffing attacks, and perhaps introduce two-factor authentication for an additional layer of security.

But it didn’t. It swept the problem under the carpet, until it could no longer be hidden any longer.

And that’s why the state of New York started a law suit against them, and this week reached a settlement that – if approved by a judge – will see the company pay $650,000, and agree never to let its security slip so badly again.

In its own statement, Dunkin’ Donuts churlishly remarks that it has already enhanced its security:

“Long before the New York Attorney General filed suit in this matter, Dunkin’ had voluntarily implemented or enhanced the security measures identified in today’s settlement,” Dunkin’ told The Register. “We did so not because we were required to by any regulatory or enforcement authority, but because we are committed to protecting our customers’ data. We are continually updating and enhancing our security measures to address ever-evolving cyber security threats, and we use robust information security and data safeguards.”

We shouldn’t forget that the real criminals here are the ones who broke into the accounts, and bought sugar-laden donuts with other people’s loyalty cards. It’s simply gobsmacking that a company like Dunkin’ Donuts would know that its customers were being defrauded but did nothing to notify them of the problem for years.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

2 comments on “The Dunkin’ Donuts data breach leaves a very bad taste in the mouth”

  1. “We did so not because we were required to by any regulatory or enforcement authority, but because we are committed to protecting our customers’ data.”
    Yeah. Right. Obviously.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.