Members of Dunkin’s DD Perks program could have had their information stolen, including passwords and usernames, when the loyalty program suffered an unauthorized breach.
Dunkin’ was first alerted of the breach on October 31 when one of Dunkin’s security vendor found that a third party tried to access the data of DD Perks members accounts.
"We believe that these third-parties obtained usernames and passwords from security breaches of other companies. These individuals then used the usernames and passwords to try to break in to various online accounts across the Internet," Dunkin' said in a statement. "Our security vendor was successful in stopping most of these attempts, but it is possible that these third-parties may have succeeded in logging in to your DD Perks account if you used your DD Perks username and password for accounts unrelated to Dunkin’."
During the breach, the third parties could access account holders first and last names, the 16-digit DD Perks account number, email address, and DD Perks QR code, the company said. Each member was affected differently depending on how much information they had on their account.
In order to log back into the compromised accounts, the members impacted by the breach had to reset their passwords, Dunkin’ said in a statement. “We forced a password reset that required all of the potentially impacted DD Perks account holders to log out and log back in to their account using a new password,” it said. “We also have taken steps to replace any DD Perks stored value cards with a new account number, but retaining the same value that was previously present on those cards.”
On an update on its site, Dunkin’ said it is working with its security vendor and reported the breach to law enforcement “and are cooperating with law enforcement to help identify and apprehend those third-parties responsible for this incident,” Dunkin said.
In April, it was revealed that up to 37 million customers could have been affected by information possibly leaked on Panera’s website. Applebee’s faced down a hack of 160 units in March, while in limited service, Jason’s Deli, Arby’s, Sonic Drive-In, Chipotle, Pizza Hut, and Wendy’s grappled with breaches in recent months.