Dunkin' Donuts customers who use the DD Perks app might have had their personal information exposed, according to a letter the company sent to some customers.
Only certain DD Perks account holders received an email from the company about the exposure of their information because not all users were affected. The email from Dunkin' that was sent to users notified them of the potential vulnerability of their accounts and said the company forced password resets for customers.
The company said it didn't suffer a security breach to its internal systems but that one of the security vendors Dunkin' works with informed them that there were third-party actors that may have accessed user information. The company knew about the information's exposure as of October 31. "We believe that these third-parties obtained usernames and passwords from security breaches of other companies," said the letter from Dunkin' to customers.
That information that may have been exposed was usernames and passwords which when used could have granted access to the customer's name, their email, their DD Perks account number and their QR code for their account. The letter to customers did not mention credit card numbers linked with accounts as the information that was gained through the breach.
"Our security vendor was successful in stopping most of these attempts, but it is possible that these third-parties may have succeeded in logging in to your DD Perks account if you used your DD Perks username and password for accounts unrelated to Dunkin'," said the note from Dunkin'.
Those users who were directly impacted were notified by customer relations of the issue and their passwords were automatically reset. The company said it was also taking steps to replace any DD Perks store value cards if necessary.
Users who were not part of the group forced to reset their passwords have not been identified by Dunkin' as customers who were potentially exposed but they might want to change their passwords anyway. Customers can reset their password in the app and should choose a password they don't reuse for other online accounts with other companies or websites.
The issue was reported to law enforcement officials and is working to determine the third-party actors who perpetrated the attack. The full letter from Dunkin' to customers can be read online here.
Dunkin' Donuts did not immediately respond to Newsweek's request for comment.
Uncommon Knowledge
Newsweek is committed to challenging conventional wisdom and finding connections in the search for common ground.
Newsweek is committed to challenging conventional wisdom and finding connections in the search for common ground.
About the writer
Nina was a breaking news reporter. She previously worked at Business Insider, The Boston Globe, and Boston.com.
