Late last week, Marriott announced that hackers and fraudsters have been harvesting, packaging, selling and monetizing a wide variety of its customers' personal and payment data for four years. In total during that time, the company said the breach exposed as many as 500 million people who had made reservations at the Bethesda, Md.-based hotel chain or other Starwood-owned properties.
According to a statement, the information exposed by the intrusion includes name, address, phone number, email address, passport numbers, loyalty account information, date of birth, gender, arrival and departure information and more. The company said encrypted payment card information also was stolen and, while it would be difficult to decrypt, Marriott could not rule out the possibility.
At roughly the same time that Marriott acknowledged the data heist, Dunkin' Brands was notifying some customers that their DD perks loyalty accounts had been illegally accessed in a credential stuffing attack. The attack on Dunkin' used an automated script to try to gain access to customer accounts with login credentials stolen from other sources.
While the two events are not related, the proximity of the two attacks highlight how data breaches like the one at Marriott fuel attacks like the one that victimized Dunkin'. Breaches yield personal information, often including username/password combos. Those credentials are sold, aggregated and directed by the thousands, or even millions at e-commerce sites across the Internet. It works because people tend to reuse their passwords across many online accounts.
Once individual online accounts are illegally accessed, fraudsters can monetize them in various ways including selling the validated login credentials, draining accounts of any stored value, selling loyalty points on a secondary market or using account information to complete synthetic identities.
According to cybersecurity firm Shape Security, 2.3 billion login credentials were exposed in 2017.