In late October 2018, Dunkin Donuts — one of the world’s largest coffee and baked goods chains — suffered a credential stuffing attack against its DD Perks loyalty rewards program. The attack was discovered on 31 October 2018 when third-party security firm Dunkin contracted detected unusual login activity. Approximately 325,000 DD Perks accounts were accessed. The DD Perks accounts contained loyalty points (DD Perks Stars), personal information (names, email addresses, 10-digit DD Perks account numbers), and associated QR codes that could be used at stores as payment. The stolen account credentials were being sold on underground forums. Dunkin notified affected customers in November 2018 and recommended password resets. The New York Attorney General subsequently opened an investigation and in 2020 fined Dunkin $650,000 for failing to adequately notify customers and implement security measures — finding that Dunkin was slow to notify customers and failed to take timely action to prevent further attacks. Dunkin suffered a second credential stuffing attack in January 2019 using the same technique. The dual attacks illustrated the effectiveness of credential stuffing against loyalty programs, where stolen accounts can be monetised by redeeming points for free products or reselling accounts.