Dunkin’ Donuts Loyalty Points Accounts Offered Cheap on the Dark Web

dunkin donuts sign in cologne germany
Hackers using credential stuffing software have breached Dunkin’ Donuts loyalty program accounts, which are now being sold cheaply on the dark web.

These are troubling times for cybersecurity, and it appears that the latest victim to hackers is Dunkin’ Donuts.

This coffee chain’s loyalty points accounts have been targeted, jeopardizing the sweet treats that have kept many customers going back for more.

A press statement issued by Dunkin’ Donuts says that hackers effectively figured out how to access DD Perks accounts.

The hackers may have gained access to clients’ names, email addresses, “DD Perks” account numbers and QR codes.

The Dunkin’ Donuts security advisory [PDF] says the company believes that the cybercriminals obtained clients’ information and passwords by utilizing other organizations’ security breaches.

They used the information to sign into some Dunkin’ Donuts Perks accounts.

What Happened to the Hacked Accounts?

Like in many other data breaches, these hacked accounts end up being sold on the dark web.

Hackers don’t go through all the trouble of obtaining such pertinent user information just to fuel their sweet ego—money is the primary motive.

The dark web is already awash with plenty of hacked loyalty program accounts including the recent ones from Dunkin’ Donuts. And they are being sold at a dumping price.

Some merchants on Dream Market, one of the top darknet marketplaces operating today, have already been vending hacked Dunkin’ Donuts loyalty points accounts.

One was selling for $10 a DD Perk account that had $25 of loyalty credit. Another merchant was selling $100 of DD loyalty credit at only $26.

DD Perks program, a mobile application rewards program, appears to have no stringent security regulations.

The merchants on the dark web’s Dream Market are moving the accounts because third parties can still get free treats using the accounts.

A computer programmer or hacker prints a code on a laptop keyboard to break into a secret organization system.
The hackers don’t need to be computer geeks, and the software sifts through different usernames and passwords by trial and error until a match is found.

The merchants even tell would-be customers how to use the hacked accounts by logging into the app (using the hacked credentials) and presenting to the cashier for bill discounts.

Credential Stuffing

Experts have analyzed the Dunkin’ Donuts attack and directly linked it to automation such as the kind used in credential stuffing.

The software in question is so readily available on sites such as Dream Market that such cyberattacks are growing rampant.

The hackers don’t need to be computer geeks, and the software sifts through different usernames and passwords by trial and error until a match is found. Credential stuffing can result in a serious attack within a short time.

In Summary:

  • Hackers have targeted Dunkin’ Donuts loyalty point accounts in a massive cyberattack. Dunkin’ Donuts loyalty point accounts are for regular customers to redeem points for rewards or discounts on baked products or coffee.
  • The hackers made away with clients’ usernames and passwords which they used to log into the accounts and change user information.
  • The attackers are now selling these accounts on darknet platforms like Dream Market.
  • DD Perks accounts are selling at a very low price on the dark web; some sellers are charging only $10 for a Dunkin’ Donuts account that is worth $25 of loyalty credit while a $100 DD Perk account is going for as low as $26.
  • Alongside these low priced loyalty point accounts, Dream Market also sells credential stuffing software that does all the work of finding emails and the right password combination.

Hackers don’t have to be advanced tech geniuses to access your information.