Woesnotgone Meadow
December 11, 2018
#
All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth.
Most people in the Meadow enjoy the occasional donut at Margie’s Donuts. In between the convenient space on Main Street, the company, and heavenly scents from the kitchen, people come and go. People have the option of paying with cash, or credit card. Margie just started an awards program for the clients who purchase a dozen at a time.
That reminds me; Dunkin’ Donuts has a reward program also (DD Perks). This service had an issue recently.
Secondary Risk with Compromise
There are a vast number of compromises with the different industries and varied number of affected users. The range of affected parties may vary greatly from hundreds to hundreds of millions. Nearly all the compromises have a common thread. The breach and compromise yield data for the attackers and these have very usable data (e.g. username and passwords for the respective company). Clearly this is bad for the client or user, however, there are longer-term effects for them also. There is the temporary loss of revenue, sales, and fines. Other areas more difficult to measure may be loss of standing in the community, and market share.
The attackers use this data in various ways. One in particular is to take the login data and attempt to use this with other login portals at other companies. This is a popular and surprisingly efficient attack due to the users tending to reuse their passwords and usernames with other web portals. This is easier for them, and unfortunately, also for the attackers. This works with Attacker A using the credentials from other breaches to try and access the users accounts. The attackers may know what these are, or create a list from an educated guess. The attackers, in substance, are stuffing the credentials used for one website into another. This process, if manual, would take a significant amount of time, dependent on the target. With this, however, being automated, and adjustable, this is an efficient attack. As for the adjustments, if Dog1 were to fail, the system could modify this password guess to Dog2, Dog3, etc. This attack has become more notable in the news recently.
Data Security Breach
The breach was discovered on October 31, 2018. Dunkin’ Donuts communicated the issue to its customers involved with the DD Perks program. The unauthorized third party had accessed the DD Perks system without authorization. The third parties had used the client’s usernames and passwords to log into their accounts. This data was acquired through other company’s security breaches. The attackers were able to automate the attack. The successful account manipulation was done through this credential stuffing. Dunkin’ Donuts were notified of the issue by one of their security vendors. It is notable that most of the attempts were not successful.
Data
The data would vary for each user. This was due to the clients sharing different data, based on their comfort level. In general, the minimum data accessed would have been their first name, last name, username, 16-digit DD Perks account number, and the DD Perks QR code.
Remediation
Dunkin’ Donuts forced a password reset for the customers. They also replaced the DD Perks account number, along with working with law enforcement.
Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.
Resources
CBS Philly. (2018, November 2). Dunkin warns customers of data breach. Retrieved from https://philadelphia.cbslocal.com/2018/11/28/dunkin-warns-customers-of-data-breach/
Cimpany, C. (2018, November 29). Dunkin’ donuts accounts may have been hacked in credential stuffing attack. Retrieved from https://www.zdnet.com/article/dunkin-donuts-accounts-may-have-been-hacked-in-credential-stuffing-attack/
Dunkin’ Brands. (2018). Security update. Retrieved from https://www.dunkindonuts.com/content/dam/dd/pdf/Security_Update.pdf
Jimenez, T. (2018, November 29). Dunkin’ donuts to data breach affects DD perks members. Retrieved from https://kywnewsradio.radio.com/articles/news/dunkin-donuts-data-breach-affects-dd-perks-members
O’Laughlin, F. (2018, November 29). Dunkin’ warns customers of data breach. Retrieved from https://whah.com/news/dunkin-warns-customers-of-data-breach/
6abc. (2018, Novembe 28). Dunkin’ donuts warns customers of data breach. Retrieved from https://6abc.com/technology/dunkin-warns-customers-of-data-breach/4785174/
No comments:
Post a Comment