On Thursday, Dunkin’ Donuts announced that hackers had likely broken into some customers’ loyalty points accounts.
But why would a hacker want loyalty points at a donut chain? Apart from perhaps fuelling a hacker’s pastry binge, these accounts may end up for sale on the dark web. Plenty of compromised Dunkin’ accounts already appear on dark web marketplaces as part of the booming loyalty points economy. And they’re pretty cheap, too.
“Grab hacked Account Dunkin Donut now with cheap ever price on market!” one listing currently available on Dream Marketplace, likely the largest dark web market at the time of writing, reads. For $10, the seller is offering $25 or more worth of Dunkin’ Donuts loyalty credit, or $12 for $30 worth of credit. Another vendor sells $100 worth of loyalty credit for around $26.
The recent Dunkin’ Donuts announcement concerns the company’s DD Perks program, a mobile app rewards program that customers can use to get free beverages or special discounts. It appears the vendors on Dream Marketplace are selling accounts for that same purpose. “Just login thru the apps on mobile for presenting at cashier for bill payment!” one of the listings adds.
This isn’t to say that the accounts currently for sale are one and the same as the accounts Dunkin’ Donuts recently warned its customers about, but there is a good chance those accounts will face the same fate.
Got a tip? You can contact Joseph Cox securely on Signal on +44 20 8133 5190, OTR chat on firstname.lastname@example.org, or email email@example.com.
In its earlier statement, Dunkin’ Donuts said it was not itself the victim of a data breach, but that hackers had used passwords from other compromised sites to then log into customer accounts. This is one of the main ways hackers typically gain access to loyalty point accounts, be those Dunkin’ Donuts, hotel chains, or anything else.
On Dream Marketplace, one vendor is offering a configuration file for Sentry, a piece of software that makes it easier for a hacker to quickly churn through different login credentials to see which ones work. Sentry requires different settings for each service or website that the hacker may want to target, hence the configuration file.
A similar technique was used to obtain Uber login credentials when those appeared for sale on the dark web. The vendor for the Dunkin’ Donuts Sentry file, which costs around $2, also offers support to customers to get it working, according to the seller’s listing.
“100% satisfaction guarantee,” one advertisement reads.
Subscribe to our new cybersecurity podcast, CYBER.