Dunkin' Donuts data breach a reminder: Take precautions with logins

Tim Jimenez
November 29, 2018 - 8:09 am
Dunkin' Donuts at Suburban Station in Center City Philadelphia.

Tim Jimenez/KYW Newsradio


PHILADELPHIA (KYW Newsradio) — Dunkin' Donuts says there's been a data breach affecting members of its DD Perks program. 

The company sent out a security alert to those with DD Perks accounts who may have been affected by this breach. 

What happened at Dunkin Donuts, specifically with its DD Perks program, is known as "credential stuffing" according to Dr. Rob D'Ovidio a cybersecurity expert at Drexel University.

"We're seeing this more and more," he said. "This is one of the hot attack methodoligies now."

In this case, Dunkin' wasn't actually hacked. Rather, according to one of  Dunkin's security vendors, other companies storing logins for their own users experienced breaches. And because at least some of those users are likely to have the same username and passwords for several different sites and apps, those criminals were able to take the usernames and passwords they stole and use them to log in to users' other accounts. In this case, it was the DD Perks program.

Dunkin officials say they found out about the cyberattack on Halloween, and many log-in attempts were blocked, but not all. 

D'Ovidio says the lesson is simple: Don't use the login credentials for multiple online accounts.

"People need to be more secure minded and change those account passwords regularly. But make sure you have different passwords for different accounts," he said. 

D'Ovidio says it's also a good idea to use unique usernames for every separate account. And if that seems like too much to remember, he suggests using a password manager app.

"Go online. Do a little research to make sure it's gotten some good reviews. Good password loggers are going to use strong encryption to protect your library of access credentials," D'Ovidio said.