New York Attorney General Letitia James (“James”) announced a settlement with Dunkin’ Brands, Inc. (Dunkin’) — franchisor of Dunkin’ Donuts — resolving a lawsuit over the company’s failure to respond to successful cyberattacks that compromised tens of thousands of customers’ online accounts.
According to James, Dunkin’ was repeatedly alerted to attackers’ ongoing attempts to log in to customer accounts by a third-party app developer. The app developer even provided Dunkin’ with a list of nearly 20,000 accounts that had been compromised by attackers over just a sample five-day period. “Yet, Dunkin’ failed to investigate the attacks to identify other customer accounts that had been compromised, determine what customer information had been acquired, or whether customer funds had been stolen.
Dunkin Donuts has agreed to pay $650,000 as penalty settlement costs for the lawsuit over its failure to respond to credential stuffing attacks that compromised customer accounts between 2015 and 2019.
Remember, In 2014, Seattle-based coffee chain Starbucks was affected by a similar data breach, where cyber attackers stole customers’ store card credentials to make fraudulent in-store transactions across the US and Canada.
What is credential stuffing?
Credential stuffing is a type of cyberattack where stolen account credentials typically consisting of lists of usernames and email addresses, and the corresponding passwords (often from a data breach) are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application. Unlike credential cracking, credential stuffing attacks do not attempt to brute force or guess any passwords – the attacker simply automates the logins for a large number (thousands to millions) of previously discovered credential pairs using standard web automation tools like Selenium, cURL, PhantomJS, or tools designed specifically for these types of attacks such as: Sentry MBA, SNIPR, STORM, Blackbullet and Openbullet.
Credential stuffing attacks are possible because many users reuse the same username/password combination across multiple sites, with one survey reporting that 81% of users have reused a password across two or more sites, and 25% of users use the same password across a majority of their accounts.
The Ponemon Institute’s Cost of Credential Stuffing report found that businesses lose an average of $4 million per year to credential stuffing. These losses take the form of application downtime, lost customers, and increased IT costs. Large-scale botnet attacks can overwhelm a business’ IT infrastructure, with websites experiencing as much as 180 times their typical traffic during an attack.
In early 2015, Dunkin’, franchisor of Dunkin’ Donuts, was repeatedly alerted by its third-party app developer of unauthorized access on customer accounts that led to the exposure of shopper names, email addresses, 16-digit DD Perks account numbers, and PINs. Many of these compromised accounts also held Dunkin’-branded stored value cards (DD cards) that could be used to purchase various baked goods and beverages. In under a week, the breach exposed nearly 20,000 shopper accounts, and criminals stole tens of thousands of dollars from customers’ DD cards.
According to the New York Attorney General’s Office, Dunkin’ franchisor of Dunkin’ Donuts, “failed to notify these customers of unauthorized access to their accounts, reset their account passwords to prevent further unauthorized access or freeze their DD cards.”
The company suffered similar attacks in 2018. “In November 2018 or February 2019, Dunkin’s security vendor had identified usernames and passwords, including yours, that were likely obtained through other companies’ security breaches (not through any compromise of Dunkin’s internal systems) and were made available on the Internet,” reads a supplemental notice of data breach filed with the Attorney General’s Office. “Malicious actors used those usernames and passwords to obtain DD Perks account information, including stored value card numbers and PINs.”
On top of the $650,000 in penalties and costs to be paid to the State of New York, Dunkin’ must notify all impacted customers, reset account passwords, and provide refunds for unauthorized use of shopper DD cards. Additionally, the company must upgrade its security protocols to avoid future unauthorized access and follow data breach notification procedures in any future incidents.
Detecting credential stuffing
Detecting a credential stuffing attack.
• Monitor for abnormal amount of login attempts to an account from a single endpoint.
• Monitor access attempts to multiple accounts from a single endpoint.
• Detecting known malicious endpoints attempting to use the credential via their IP address or fingerprinting techniques.
• Detecting the use of automation software in the login process.
• Remove credentials based login and replace with passwordless authentication.
Some ways users can protect themselves
• Avoid reusing passwords: Use a unique password for each account you use online.
• Use a password manager: Generate strong passwords and use a password manager like 1Password (paid) or Bitwarden (free and open-source) to remember your passwords for you.
• Enable two-factor authentication: Even if an attacker has your username and password, they won’t be able to sign in to your account if they don’t have that code.
• Get leaked password notifications: Use a service like Pwned to get a message when your credentials appear in a leak.
Some ways companies can protect themselves
• Use multi-factor authentication: Multi-factor authentication (MFA) is a good defense against the majority of password-related attacks, including credential stuffing and password spraying.
• IP Blacklisting: Attackers will typically have a limited pool of IP addresses, so another effective defense is to block or sandbox IPs that attempt to log into multiple accounts. You can monitor the last several IPs used to log into a specific account and compare them to the suspected bad IP to reduce false positives.
• Flag unrecognized devices: A credential stuffing attack will most often come from a new, unrecognized device, so your team can help prevent attacks by keeping an eye on the devices attempting to access your account.
• Use CAPTCHA: Although not perfect, requiring a user to solve a CAPTCHA for each login attempt can help to prevent automated login attempts, which would significantly slow down a credential stuffing or password spraying attack.
• Align Website Architecture with Different Types of Clients: For example, you might segment your clients by URL as follows: URL 1: Humans on desktop, laptop, and mobile browsers; URL 2: Native mobile apps; and URL 3: Automated third-party services, such as industry aggregators and partners. With this approach, you will apply the appropriate bot detection to URL 1 and URL 2, and force other types of consumers to URL 3.
Credential stuffing attacks pose a significant cyber threat not only for individuals, but also for companies.
The Dunkin breach highlights the importance of maintaining cybersecurity and following local legal procedures – which can differ internationally. You can’t be a fast follower – individuals and companies must be vigilant.
Companies that do business in New York must familiarize themselves with New York’s new data breach notification law, which went into effect in March 2020. Once a company becomes aware of a potential data breach, it must act quickly to investigate and remediate the breach and, if appropriate, adequately notify consumers who were affected. It is also imperative that companies regularly evaluate their data breach response policies and procedures to ensure that they are ready to respond appropriately in the event of a data breach incident.
Boards should be continuously monitoring what’s happening in their space and asking senior management to explain how they are dealing with those risks.
I welcome your thoughts and comments.
Drinker, GlobalDots, Security Magazine