Dunkin’ Donuts says some ‘DD Perks’ accounts may have been hacked

"We believe that these third-parties obtained usernames and passwords from security breaches of other companies."

Dunkin' coffee Pat Greenhouse/Globe staff

Before you pick up that next cup of coffee using the Dunkin’ Donuts mobile app, you should consider changing your password — if you haven’t already.

The company says it learned on Oct. 31 third-parties that breached DD Perks accounts through hacking other companies’ data to grab usernames and passwords they used to log into some accounts.

“We believe that these third-parties obtained usernames and passwords from security breaches of other companies,” Dunkin’ Donuts said in a statement posted on its website. “These individuals then used the usernames and passwords to try to break in to various online accounts across the Internet.”

Although the company’s security vendor was able to stop most of the attempts, the statement said it is possible that some of the third-parties may have succeeded in logging in if a username and password was also used for other online accounts.

What the hackers had access to depends on what information was in each account, according to Dunkin’ Donuts. It may have included first and last names, email addresses, 16-digit DD Perks account numbers, and DD Perks QR codes.

The company said it immediately launched an internal investigation and is working to remediate the breach and prevent others from happening again.

“As you know already, we forced a password reset that required all of the potentially impacted DD Perks account holders to log out and log back in to their account using a new password,” the statement said. “We also have taken steps to replace any DD Perks stored value cards with a new account number, but retaining the same value that was previously present on those cards.”


The company said it reported the data breach to law enforcement and is working with officials to locate the third-parties responsible.

The statement also reminds DD Perks users that the company recommends they create passwords unique to those accounts and not ones that they use for other online accounts.