According to their vendor, the breach may have occurred via third party sites where the DD Perks customers might have used the same login credentials. The attack was noticed after a third-party attempted to log in to certain accounts. As explained in their security notice,
“On October 31, 2018, we learned from one of our security vendors that a third-party may have attempted to log in to your DD Perks account. We believe that these third-parties obtained usernames and passwords from security breaches of other companies. These individuals then used the usernames and passwords to try to break into various online accounts across the Internet.”Regarding the breached information, Dunkin states that it depends on the extent of information contained in affected DD Perks accounts. Nonetheless, the attackers may have accessed the customers’ names, usernames, email addresses, DD Perks 16-digit account numbers, and QR codes.
“We also have taken steps to replace any DD Perks stored value cards with a new account number, but retaining the same value that was previously present on those cards. We also reported the incident to law enforcement and are cooperating with law enforcement to help identify and apprehend those third-parties responsible for this incident.”In addition, the company also urges its customers to create “unique passwords for their DD Perks accounts” that they do not use elsewhere.