Learning From the “Holes” in Dunkin’s Security to Mitigate Brute-Force Attacks

Credential stuffing, a form of brute-force attack where the attacker uses compromised credentials obtained from a data breach to attempt an account takeover, continues to be a pervasive threat. It is the focus of a recent SEC Risk Alert, and at the foundation of the New York Attorney General’s settlement with Dunkin’ Brands, Inc., announced the same day, that centers around allegations that Dunkin’ failed to respond to a series of successful brute-force attacks that left tens of thousands of customers’ online accounts vulnerable. We analyze the Dunkin’ case and the terms of the settlement, discuss the implications of the case and the Risk Alert, and offer five measures for mitigating credential-stuffing attacks. See “The Growing Role of State AGs in Privacy Enforcement” (Nov. 28, 2018).

To read the full article

Continue reading your article with a CSLR subscription.