Thieves & Doughnuts

Every year, on the first Friday in June, people celebrate National Doughnut Day. The day celebrates doughnuts and honors the Salvation Army Lassies. The Lassies served doughnuts to soldiers during World War I. The “Salvation Army Doughnut” was first served in 1917. The brave Salvation Army Lassies went to the front lines of Europe and boosted soldiers’ morale with some home-cooked foods. The doughnuts were sometimes cooked in oil inside the American soldiers’ metal helmets (giving rise to the nickname “doughboys” for American soldiers). The Salvation Army created National Doughnut Day in 1938 to honor the women who served doughnuts during World War I. The day began as a fundraiser to raise money to help the needy during the Great Depression.

Although the plain glazed doughnut reigns supreme as the most popular doughnut, doughnut shops around the country are caught up in the unusual doughnut trend, with flavors such as  Guava & Cheese, Pad Thai, Mojito, Lemon Lavender, and Sweet Corn & Blueberry. Many people have a favorite type of doughnut or a favorite doughnut shop. Dunkin’ Donuts (also known as “Dunkin’”) sells the most doughnuts of any company in the United States. In 2020, the company served approximately 64 million customers and sold 2.7 billion doughnuts. Many customers buy their doughnuts from Dunkin’ Donuts using Dunkin’ value cards. At first, the Dunkin’ value cards were convenient, then they started causing big problems for the company.

In 2015, hackers accessed money stored on the Dunkin’ value cards of approximately 20,000 customers. The customers had created accounts through Dunkin’s website and mobile apps. After the hackers gained access to the accounts, the hackers could use the cards to make purchases or sell the cards online. Within a few months, the hackers stole tens of thousands of dollars. In 2018, the company suffered similar attacks.  In 2019, a lawsuit was brought against Dunkin’ by the New York Attorney General for failing to notify customers of the attacks. The lawsuit alleges employees at Dunkin’ were aware of the attacks by May 2015 due to reports from customers and an app developer that provided Dunkin’ with a list of 19,715 accounts that had been hacked. According to the Attorney General’s Office, Dunkin’ did not take action to protect its customers.

Dunkin’ has agreed to pay $650,000.00 in penalties and costs to the State of New York, notify all impacted customers, reset account passwords, and provide refunds for the unauthorized use of the value cards. Additionally, Dunkin’ must upgrade its security procedures and follow data breach notification procedures.

The attacks suffered by Dunkin’ are called “credential stuffing.” According to Jonathan Marks, CPA, CFF, CFE:

“Credential stuffing is a type of cyberattack where stolen account credentials typically consisting of lists of usernames and email addresses, and the corresponding passwords (often from a data breach) are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application. Unlike credential cracking, credential stuffing attacks do not attempt to brute force or guess any passwords – the attacker simply automates the logins for a large number (thousands to millions) of previously discovered credential pairs using standard web automation tools.”

Credential stuffing attacks are possible because many users reuse the same username/password combination across multiple sites, with one survey reporting that 81% of users have reused a password across two or more sites, and 25% of users use the same password across a majority of their accounts.

According to the Ponemon Institute’s Cost of Credential Stuffing report, businesses lose an average of $4 million per year to credential stuffing. Users can take steps to protect themselves:

  • Avoid reusing passwords: Use a unique password for each account you use online.
  • Use a password manager: Generate strong passwords and use a password manager to remember your passwords for you.
  • Enable two-factor authentication: Even if an attacker has your username and password, they won’t be able to sign in to your account if they don’t have that code.
  • Get leaked password notifications: Use a service like Pwned to get a message when your credentials appear in a leak.

There’s a common saying in cyber security: “it’s not a matter of IF but WHEN a business will come under attack from hackers.” As a forensic accounting company, often dealing with the aftermath of cyberattacks, SDC urges users of stored value cards to take steps to educate and protect themselves.

Posted in: