Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations

Dell, Dunkin Donuts Reset Passwords After Incidents

The Impacts of Both Incidents Appear to Be Limited
Dell, Dunkin Donuts Reset Passwords After Incidents
(Photo: Dunkin Donuts)

Dell and Dunkin Donuts have both initiated password resets after experiencing separate security incidents that appeared aimed at gaining access to customer accounts.

See Also: Office 365 Threat Simulation

Dell says it detected an incident on Nov. 9 in which attackers sought names, email addresses and hashed passwords. Dunkin Donuts says its issues likely involved the reuse of leaked credentials from other breaches in order to take over DD Perks accounts, the company's rewards and gift card program.

As a result, both companies opted for password resets with the hope that customers won't recycle ones that they've already used on other services. Reusing passwords fuels so-called "credential stuffing" attacks, in which attackers use leaked sets of credentials to see what other accounts can be unlocked.

The companies say, however, that the impacts of the attacks appear to be limited.

Dell: No Financial Data Affected

Dell says the attack affected customer accounts created for dell.com as well as its Premier, Global Portal and support.dell.com, which is also referred to as Esupport.

After it detected the attack, Dell says it started an investigation and retained a digital forensics firm to investigate. It also contacted law enforcement.

"Though it is possible some of this information was removed from Dell's network, our investigations found no conclusive evidence that any was extracted."
—Dell

Dell appears to have detected and shut down the attack quickly, which is one of the main challenges with cyberattacks, says Pravin Kothari, CEO of CipherCloud. The average "dwell" time - the period between when a system is compromised and an attack is detected, was about 75 days last year, Kothari says.

"The goal today for every security operations center is to detect and shut down attackers with the most minimal dwell time," Kothari says. "This is the leading edge of industry best practice for on-premises and cloud security. Dell has shown that the right mix of skilled personnel equipped with the right tools for visibility, threat and data protection can make a big difference."

The impact of the exposure was limited, Dell says, due to "cybersecurity measures in place that limit the impact of any potential exposure, including the hashing of customers' passwords." No credit card or other sensitive personal information was affected.

"Though it is possible some of this information was removed from Dell's network, our investigations found no conclusive evidence that any was extracted," the company says.

Dell didn't specify what hashing algorithm it uses. Service providers are increasingly hashing passwords with bcrypt, which makes it more difficult for attackers to run brute-force computations in hopes of discovering the plain-text password.

According to Reuters, Dell initiated the password reset on Nov. 14, five days after it detected the attack. But it didn't inform customers about the attack at that time, according to an anonymous source cited by Reuters.

Dell didn't include that information in its announcement. But a Q&A addresses why the company delayed its public disclosure.

"We are disclosing this incident now based on findings communicated to us by our independent digital forensics firm about the attempted extraction," Dell says.

Dunkin: Most Takeovers Unsuccessful

Dunkin Donuts says one of its security vendors informed it that account credentials leaked in other breaches were being used to get access to DD Perks accounts.

"Our security vendor was successful in stopping most of these attempts, but it is possible that these third parties may have succeeded in logging into your DD Perks accounts if you used your DD Perks username and password for accounts unrelated to Dunkin," the company says in a statement to its customers.

The data that may have been exposed includes first and last names, email addresses used for usernames, the 16-digit account numbers and associated QR codes, the company says.

Dunkin says it opted to reset the passwords for those potentially affected. It also is issuing new account numbers and transferring the remaining balances from the old card to the new ones.

"We also reported the incident to law enforcement and are cooperating with law enforcement to help identify and apprehend those third-parties responsible for the this incident," Dunkin says.

Once Again: Strong, Unique Passwords

Both of these incidents reinforce a point that security experts and companies have been trying to communicate in earnest: Use unique, strong passwords across online services.

Dell's tips are to use a minimum of eight characters, with a mix of uppercase and lowercase letters and a number. Another tip from Dell is to create a reminder sentence that plucks out the first character of each word.

But the best advice is to get a password manager, which can generate strong passwords and sync them in a vault across desktop and mobile devices (see: 7 Tips For Determining Which Password Manager Suits Your Organization's Needs).


About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.