Dunkin’ announced that a third-party obtained access to some DD Perks accounts using usernames and passwords disclosed in data breaches at other companies, known as a credential stuffing attack. If accountholders used the same credentials for their DD Perks account that were exposed in a previous breach, the threat actors were able to gain access to their account, revealing customers’ first and last names, addresses, and account numbers. Dunkin’ forced a password reset to all potentially affected accountholders. It is important to immediately change passwords that have been disclosed in a breach, as well as passwords for any other accounts that share the same credentials. It is highly recommended to avoid reusing passwords across multiple accounts and enable multi-factor authentication where available to prevent credential stuffing attacks.