## How Automated Login Attacks Drained Loyalty Accounts In 2019, Dunkin' Donuts confirmed that attackers had compromised thousands of DD Perks loyalty accounts. The method: **credential stuffing and brute force**. Attackers used lists of leaked username/password pairs from other breaches and hammered the login endpoint with no slowdown. Customers woke up to find their loyalty balances — worth real gift card money — sold on underground forums. The company had no rate limiting and no lockout on failed attempts. Once attackers found that out, the attack ran on autopilot. --- ### Why This Works Login endpoints are the front door. Every system needs one. But many systems never enforce limits on *how many times you can knock*. Without protections, an attacker can try every possible combination automatically: - **Brute force** — try every possible value (0000 to 9999 for a 4-digit PIN = 10,000 guesses) - **Credential stuffing** — use real username/password combos leaked from other breaches - **Password spraying** — try one common password against thousands of accounts None of these require hacking skill. They require patience — and a script. --- ### The Three Protections That Stop This | Protection | What It Does | |---|---| | **Rate limiting** | Slow down after N attempts per IP per minute | | **Account lockout** | Lock after N failed attempts (e.g. 5 tries) | | **CAPTCHA** | Require a human challenge after failures | FirstBank has none of these. Time to prove it.