Dunkin’ Donuts app hit by account takeover attack, some bank fraud complaints emerge

Coffee giant Dunkin Donuts announced a security incident involving its mobile app yesterday, but I am afraid the firm isn’t telling quite the whole story. I’m hard at work trying to figure that out right now.  The incident reminds me of what happened to Starbucks consumers, when criminals armed with login information managed to use the app to attack customers’ bank accounts.

In its announcement, Dunkin said consumers’ emails, names and loyalty account numbers might have been viewed by criminals armed with login credentials stolen from *other* places. Not a big deal. Were Dunkin Donuts app merely a loyalty card tool there wouldn’t be much to attack.

But, like the Starbucks app, and many others now, the Dunkin app can also be used to pay at retail outlets — it’s a “stored value” app. A mobile phone gift card, and more.  That means compromised credentials open the door for various fraud schemes.  A criminal who logged into a Dunkin account could use the stored value to buy coffee, for example, or more important, sell the value on a criminal exchange.  Theft of $10 or $20 worth of coffee isn’t much to worry about.  The real issue arises because users can load their credit, debit or Google Pay account information onto the app, and some chose to auto-reload value.  That creates a big opportunity for criminals. In the Starbucks situations, hackers managed to steal hundreds of dollars from consumers, one $100 auto-reload after another.

Dunkin’s announcement (PDF) makes no mention of fraud.

“We also have taken steps to replace any DD Perks stored value cards with a new account number, but
retaining the same value that was previously present on those cards,” it said.  The firm also says “our
security vendor was successful in stopping most of these attempts,” but says criminals were successful in some cases. How many?  There’s no information.

When the Starbucks incident occured, Twitter was flooded with complaints from consumers, and Starbucks’ customer service center was bombarded with complaints. I don’t see that level of complaints about Dunkin fraud, but there are some.  Like this one three days ago:

@dunkindonuts I discovered fraud on my app today. I called. I sent an email. You’re closed for the holiday. How is this helpful? I have to contact you 3 times for fraud. #nothelpful. Happy Thanksgiving. Loyalty gets me ???”

It’s not uncommon for fraud rings like this to spring to action during holiday weekends, when fraud staff gets thin and consumers are less likely to notice.

About a year ago, there was a larger flurry of fraud complaints lodged against Dunkin Donuts.

“Three cards have been purchased and set to auto reload for $99 before being flagged by my banking establishment,” wrote one victim on Reddit, generating plenty of “me too” responses. Here’s one: “Same thing with me I had a charge last night for $95 then a charge for $99 today I just went on the website change my password and took my bank card information off the website.”

Dunkin Donuts hasn’t responded to my questions about the incident yet; nor have any of the alleged victim consumers. I’ll update this story if and when that happens. Meanwhile, it’s important to know that someone with access to your stored value  mobile phone app accounts– like Dunkin DD Rewards, or your Starbucks app — has a route to hack your bank accounts. So use bank-account-worthy passwords on them. Try to avoid re-using passwords, so hacks at other sites won’t let someone break into your stored value app accounts. And, as much as feasible, avoid loading your banking details onto apps like this. It’s convenient, but it can lead to unexpected risks. You can’t expect a coffee company to have security that’s as strong as a financial company.



About Bob Sullivan 1452 Articles
BOB SULLIVAN is a veteran journalist and the author of four books, including the 2008 New York Times Best-Seller, Gotcha Capitalism, and the 2010 New York Times Best Seller, Stop Getting Ripped Off! His latest, The Plateau Effect, was published in 2013, and as a paperback, called Getting Unstuck in 2014. He has won the Society of Professional Journalists prestigious Public Service award, a Peabody award, and The Consumer Federation of America Betty Furness award, and been given Consumer Action’s Consumer Excellence Award.

1 Comment

  1. Thank you for this information Bob. I just checked my Starbucks app. Balance was clear out by thiefs. Called Starbucks they are investigating and I am to call back in 3 days to find out the results. Thankfully no other account was linked to App., but they have my personal information?

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.