Beginning in early 2015, Dunkin’ customers’ online accounts were targeted in a series of “credential stuffing attacks” — repeated, automated attempts to gain access to accounts using usernames and passwords stolen through security breaches of other unrelated websites or online services. In a matter of months, tens of thousands of customer accounts were compromised. Many of these accounts held Dunkin’-branded stored value cards — known as “DD cards” — which could be used to make purchases at Dunkin’ stores. An attacker that gained access to one of these accounts would have been able to use the DD card to make purchases, or remove the card from the account and sell it online. As a result of these attacks, tens of thousands of dollars on customers’ DD cards were stolen.