This Week in Breach: Dunkin Donuts
Dunkin' Donuts: One of the world’s leading baked goods and coffee chains
Risk to Small Business: Severe: On February 12th, Dunkin’ Donuts announced that it suffered a credential stuffing attack back in January. This news comes just a few months after the company fell victim to a similar attack on October 31, 2018. As we’ve covered before, hackers employ credential stuffing attacks by leveraging previously leaked usernames and passwords to access user accounts. In this case, they were able to breach DD Perks rewards accounts and are putting them up for sale on Dark Web forums. Aside for the “double whammy” of two attacks within a short time-frame, loyal customers who have lost their rewards will likely bring their business elsewhere.
Individual Risk: Moderate: The exposed accounts contain personal information such as first and last names, email addresses, 16-digit account numbers, and QR codes. Although the accounts have been put up for sale so that buyers on the Dark Web can cash out on reward points, they can also use credentials to orchestrate further cyberattacks.
Customers Impacted: 12,000
How it Could Affect Your Customers’ Business: The trend of credential stuffing is only the first wave resulting from billions of recently leaked usernames and passwords. Companies that experience similar attacks on user accounts will be held liable, regardless of whether they are the source of the breach. To protect from future attacks, businesses must team up with security providers to ensure state-of-the-art password protection and Dark Web monitoring.
In Other News: MyFitnessPal and CoffeeMeetsBagel data go for sale on the Dark Web
After the breach of MyFitnessPal last year involving 150M user accounts, the data has finally been packaged up along with stolen credentials from 15 other websites to be sold on the Dark Web. The asking price? Less than $20,000 in Bitcoin.Other websites included are CoffeeMeetsBagel, Dubsmash, MyHeritage, ShareThis, HauteLook, Animoto, EyeEm, 8fit, Whitepages, Fotolog, 500px, Armor Games, BookMate, Artsy, and DataCamp. In total, 617 million compromised records are involved.
Cybercriminals can combine such databases to find users who are recycling passwords across multiple sites, allowing them to hack into valuable accounts that can be leveraged for fraud. By investing in solutions that can consistently monitor the Dark Web, companies can quickly understand how hackers are planning to use exposed information and implement cybersecurity safeguards.