Dunkin’ Donuts’ loyalty club, DD Perks, was infiltrated by hackers with stolen usernames and passwords, exposing customer names, addresses and account numbers.
Dunkin’ Donuts contacted those customers whose accounts were potentially compromised via e-mail, informing them of the situation and assuring them that the breach was not caused by a lack of security on DD’s end but rather a third party.
According to the company’s statement: “Dunkin’ did not experience a data security breach involving its internal systems, we’ve been informed that third-parties obtained usernames and passwords through other companies’ security breaches and used this information to log into some Dunkin’ DD Perks accounts.
“On October 31, 2018, we learned from one of our security vendors that a third-party may have attempted to log in to your DD Perks account. We believe that these third-parties obtained usernames and passwords from security breaches of other companies. These individuals then used the usernames and passwords to try to break in to various online accounts across the Internet. Our security vendor was successful in stopping most of these attempts, but it is possible that these third-parties may have succeeded in logging in to your DD Perks account if you used your DD Perks username and password for accounts unrelated to Dunkin’.”
Cyber criminals could have made off with customers names, e-mail addresses, Perks account numbers, and Perks QR codes. With access to a customer’s QR code criminals could potentially access the customer’s rewards and/or use the order ahead feature to make in-store purchases.
In response to the leak Dunkin’ Donuts forced all potentially impacted consumers to change their loyalty passwords and new account numbers have been issued.