Project manager working and update tasks with milestones progress planning and Gantt chart scheduling virtual diagram.Businessman hand pressing an imaginary button on virtual screen
Share on facebook
Share on twitter
Share on pinterest
Share on linkedin

Getting stuffed at Dunkin’ Donuts?

By Richard Arneson

Just last week, sugary sweet giant Dunkin’ Donuts was hit with its second cyber-attack in three (3) months. Both attacks can be filed in a cyberattack category you may not have heard of—credential stuffing. It’s a type of brute force attack in which stolen credentials are used to access other online accounts.

We’ve all signed up for online membership programs, right? Doing so grants you access to coupons, perks and special deals for products and services. Nothing wrong with that. But Credential Stuffing Attacks target these membership programs, which allows hackers to access accounts and get names, email addresses and account numbers associated with the program.

Membership and loyalty programs have been around for years, and their quid pro quo nature benefits both parties involved. You get good deals and the vendor builds a rich database of customers to whom they can market. And because they rarely involve sensitive information, such as credit card numbers or social security numbers, they don’t often raise red flags for customers. They know what signing up results in—offers and information getting pushed to your inbox. And, of course, you can opt-out at any time. So, what’s the problem?

Here’s how credential stuffing works, and why you should care about it

Credential stuffing involving donut shops may sound benign, but attackers are looking to do more than disrupt vendor couponing. Last August, credential stuffing resulted in a $13.5 million bank heist in India.

Through automated tools and scripts available on the dark web, credential stuffers use stolen login information to target particular websites. The login information can stuff websites’ account logins until matches are uncovered. They’re then sold on the dark web advertising that they’ve been verified to work on a particular site.

If you don’t use one (1) of the many password managers on the market, you should. And if you don’t, you’ve probably found yourself using the same login and password for a wide range of sites. And, who knows, you may be using the same login information for online banking that you do for the sandwich shop around the corner. Is getting 2 for 1 patty melts worth more than a hacker gaining access to your financial data? Probably not.

Steps to protect your organization against credential stuffing

If you currently offer a membership or loyalty program, it’s advised that you take a regular look at authentication logs. If you see a large number of authentication attempts from the same IP address, you may be the victim of credential stuffing. Also, if you’re allowing access through Tor nodes, which allow users to remain anonymous, it can be difficult to determine the source. You may want to block access from Tor nodes altogether.

And, yes, it may annoy some customers, but requiring members to periodically reset passwords can help guard against credential stuffing attacks. But be careful with the wording of the communique, or customers may think they’re they a phishing target.

Let these folks take the complexity out of your security posture

To find out how to secure your organization’s network and protect its mission critical data, contact GDT’s tenured and talented engineers and security analysts at From their Security and Network Operations Centers, they manage, monitor and protect the networks of companies of all sizes, including those for some of the most notable enterprises, service providers, healthcare organizations and government agencies in the world. They’d love to hear from you.

If you want more information about network security, read more here:

Security Myths Debunked

State of the Union address focuses on technology–briefly

The technology arms race was just amped up

Apparently, cyber attackers also consider imitation to be the sincerest form of flattery

Last week’s DHS “alert” upgraded to “an emergency directive”

The Collection #1 data breach—sit down first; the numbers are pretty scary

Shutdown affects more than workers

DDoS Attacks will deny a Massachusetts Man Ten (10) years of Freedom

Phishing for Apples

This isn’t fake news

Don’t get blinded by binge-watching

Mo Money, Mo Technology―Taylor Swift uses facial recognition at concerts

Step aside all ye crimes—there’s a new king in town

Q & A for a Q & A website: Quora, what happened?

They were discovered on Google Play, but this is no game

And in this corner…

Elections are in, but there’s one (1) tally that remains to be counted

Hiring A Hacker Probably Shouldn’t Be Part of Your Business Plan

Gen V

Sexy, yes, but potentially dangerous

Tetration—you should know its meaning

It’s in their DNA

When SOC plays second fiddle to NOC, you could be in for an expensive tune

How to protect against Ransomware


Subscribe to our Newsletter

WordPress Image Lightbox