For the second time in three months, Dunkin’ Donuts has stopped a credential stuffing attack targeting it’s loyalty program. The company believes the attackers aimed to compromise loyalty accounts by trying out login credentials for user accounts with other companies that have suffered a data breach. Credential stuffing takes advantage of the fact that many people reuse passwords across multiple accounts. These types of attacks are on the rise as they are relatively simple to pull off, since hackers can easily obtain entire databases containing email and password combinations from previous breaches.
Loyalty program data is an increasingly popular target for hackers, who can sell compromised accounts on underground markets. The accounts can be used to get product discounts or as part of cyber scams. Dunkin’ Donuts claims to have stopped most of the attacks, but says there is a possibility some user accounts were taken over. The company has forced all users to reset their passwords.