Dunkin’ Donuts Accounts Compromised In Second Credential Stuffing Attack In Three Months

3312 2

Dunkin’ Donuts has announced that it was the victim of a credential stuffing attack during which hackers gained access to customer accounts. This marks the second time in three months that the coffee shop chain notifies users of account breaches following credential stuffing attacks.

Experts Comments below:

Stephen Moore, Chief Security Strategist at Exabeam:

Stephen Moore“The most seasoned and well-resourced security teams can be easily overwhelmed by the volume of organisational alerts they receive in a day. That complexity, when combined with the inherent difficulties of detecting credential-based attacks, because the attackers are impersonating legitimate users, creates an environment that lacks control and trust. In this case, the security incident was likely the result of malicious actors using previously collected or breached login data to access accounts.

To protect against these types of attacks, organisations must shift the enterprise security strategy. To remediate incidents involving user credentials and respond to adversaries, the key is to move fast and consider an approach that is closely aligned with monitoring user behaviour – to provide the necessary visibility needed to restore trust, and react in real time, to protect user accounts. This should include the ability to detect, using behavioural characteristics, when events have occurred – especially when it comes to customer–facing incidents.”

Tim Bandos, Vice President of Cyber Security at Digital Guardian:

“In situations like this, the practice of good password hygiene becomes critical otherwise you’re putting sensitive accounts and credentials at risk. We know that in addition to credit cards, email addresses and PII, password credentials are highly sought-after by cybercriminals – so use a different password for each of your online accounts. Make sure your passwords are unique and complex to ensure that hackers cannot guess them. If you’re notified that your account has been comprised, change your password immediately. Lastly, where possible, enable multi-factor authentication. Popular websites like Facebook, Gmail and Skype all offer this service.”

Steve Armstrong, Regional Director UK, Ireland & South Africa at Bitglass:

“It’s imperative that users understand the risk of weak authentication. Reusing the same password allows attackers to use credential stuffing attacks across multiple platforms. For the hacker, once they breach one set of accounts, the pay off can be high. In order to mitigate this risk end users and platform providers should implement both a strong password criteria and a second factor authentication to ensure the user is who they say they are. Ultimately, my recommendation to any customer who has experienced a breach is to change all the passwords across all their accounts online. The use of a password manager would make managing this far simpler. The knock-on effect here is not just the loss of this specific account – but the likelihood of credentials being used elsewhere.”

Bryan Becker, Application Security Researcher at WhiteHat Security:

“The fact that hackers were able to gain access to Dunkin’ DD Perks accounts for a second time, using credentials obtained from previous breaches of other applications, reinforces the importance of setting a different username/password combination for every application you utilize as an end user. It is essential to practice security mindedness as you browse the web to lessen the personal impact data breaches will have on you once they occur. Some other tips you can practice to secure yourself online are:

Utilizing multi-factor authentication on any application that supports it. This can prevent an attacker from gaining access to your account even if they determine your username/password combination
Only log into sites that send your credentials and other sensitive information over SSL. A quick way to determine this is if the URL you are viewing is prefaced with ‘https://’
Whenever you’re checking your email in a web browser and are sent messages with hyperlinks, hover your mouse over the links and verify where the link is really going to take you to by looking at the URL that appears on the lower left corner of the screen. It’s possible the blue highlighted URL written in the email body is actually a disguised malicious link.”

Aaron Zander, Head of IT at HackerOne:

“If a website is receiving an excessive amount of authentication (in the order of an exponential increase in magnitude) the site creator needs to work on how internal and external users are authenticating and how many times an identifiable browser or IP can be sent.

If the bad actors scripting this are smart, they are usually just sending a few login requests from each IP and moving onto a new one. When cyber criminals are testing lists they aren’t manually entering credentials one by one unless it is from a really targeted spear phishing campaign. Instead, they are usually running scripts that try hundreds or thousands of logins practically at once, stemming from any number of leaked emails and passwords from breaches in the past. Terabytes of data exist out there, millions and millions of emails and passwords; capitalizing on the password entropy problem that plagues our digital age. That password we used hundreds of times in the early 2000’s has come back to haunt us.

Users can protect themselves with password managers, but it’s up to the operators of websites and apps to prevent themselves from becoming testbeds for valid credentials. Preventing one person or one IP from submitting more than just a handful of logins or even the same one is important, both in the total amount they are trying and how fast they can submit. Using tools like captcha, email magic links, rate limiting, browser detection, and in general thinking about how a login page can be abused can all contribute to removing a website from the field of play for credential testing/stuffing.”
Paul Walker, Technical Director at One Identity, explains how to mitigate this kind of threats and

“Breaches of databases are inevitable: they are going to happen. These breaches sometimes release usernames and passwords, either plaintext or hashes, into the wild world dark web. The hackers then target well known consumer websites with those credentials, hoping to find an account with a stored credit card for example, or an account with one-click-buy enabled. Credential stuffing can be mitigated by adopting good password hygiene: not using the same password for multiple websites and enabling multi-factor authentication can stop criminals from gaining access to more sensitive accounts and can go a long way in preventing the success of this kind of attacks.”



Join the Conversation

Join the Conversation

2 comments

  1. LonerVamp Reply

    This is a bizarre post.The intro seems to blame Dunkin’ Donuts for credential stuffing attacks against their platform.

    The first expert says nothing.

    The second one is asking the users to practice good hygiene.

    The third one is again mostly talking to the users, but does mention the web site (Dunkin’ Donuts) should implement second factor authentication, presumably as just an option for users to choose. Which is the only real right answer…

  2. Ben Johnson Reply

    “The credential stuffing attack impacting Dunkin’ Donuts accounts highlights hackers’ priorities today: access. Any exposure of usernames or passwords carries massive implications with it given rampant password re-use. Organizations must defend their own identities and those of their customers with urgency, as attackers would rather use a compromised account than attempt technical exploitation. And to lessen the risk, consumers need to use a password manager, enable multi-factor authentication when possible, and never, ever, reuse a password.”
    – Ben Johnson, CTO and co-founder, Obsidian Security


In this article