If you’ve never updated your Domino’s Pizza account information, you may want to do so, and soon. Hackers are engaged in an on-going credential stuffing operation against the well-known international pizza brand, with their sights primarily set on Domino’s Pizza customers in the US. After scouring posts on more than a dozen dark web marketplaces, we discovered over 12,000 Domino’s Pizza accounts have been sold, and most within the past 12 months.
Why are hackers targeting Domino’s Pizza accounts?
While it may seem counterintuitive, hackers and their buyers aren’t immediately after Domino’s shoppers’ credit card information. Instead, they’re on the hunt for rewards points and free pizza.
Domino’s Pizza offers a rewards program that gives buyers 10 points for every order. At 60 points (or 6 purchases), customers can redeem the points for a free medium-sized two-topping pizza. A medium two-topping pizza from Domino’s normally goes for $12.99 when ordered individually without any other offers or discounts.
Between April 27 and May 5, 2020, we searched over a dozen dark web marketplaces for posts advertising the sale of Domino’s Pizza user accounts. All of the Domino’s account selling was taking place on 3 different markets. Around 87% of all posts and 100% of the sales went through one of the larger markets we checked. We recorded 12,200 sales across the 58 separate posts we found.
Once someone buys an account, the process is simple. Buyers will log in with the account information, redeem the points, and have the pizza delivered to their desired location.
The majority of sales we saw in the various marketplaces took place within the past 12 months. That means most of the successful sellers created their posts in 2019.
How much are hackers earning from Domino’s Pizza account selling?
The majority of account sellers likely aren’t earning big bucks by selling Domino’s Pizza accounts. In fact, only a small number of sellers’ posts had any sales at all. And most posts listed prices in the $1 to $5 range.
A few posts with a high volume of sales presented list prices over $1,000. However, digging into their feedback records reveals that the posted sale price is often not what buyers paid. The actual sale prices we identified typically ranged from $0.25 to $3.00.
Hackers may have collectively earned around $12,000 to $36,000 in Domino’s Pizza account sales in the past 12 months. Those paltry earnings could seem hardly worth the effort.
However, the key to many of these sellers’ success and efforts is in the volume of accounts they’re selling. And that volume goes beyond just selling Domino’s Pizza accounts. They also sell accounts for other services and sites, including other food chains such as Jersey Mikes, and premium accounts for services like Sling TV, Hulu, and Disney+.
When it comes to restaurants, though, the most successful account sellers on various markets found their biggest win with Domino’s Pizza accounts.
How much money have Domino’s customers lost?
With a non-discounted price of $12.99 for a medium two-topping pizza, Domino’s customers have lost a minimum of $160,000 in potential free pizza within the past 12 months.
The $160,000 figure is a significantly lower bound estimate. It’s quite possible that the loss value for Domino’s customers is much higher than that. Many of Domino’s Pizza’s customers have accumulated more than the 60-point minimum for a free pizza. In fact, some dark web marketplace sellers were advertising accounts with 300 or more points.
The hit to Domino’s Pizza’s bottom line could be rather extensive, as well. Some consumers who’ve posted on various forums have noted that Domino’s replaces the rewards after users file a complaint. Domino’s may be delivering hundreds of thousands of dollars in free pizza to hackers and replacing users’ points afterward, resulting in even more free pizza.
The threat may appear limited, but its impact is more expansive than just a few stolen pizzas. Over 80% of internet users utilize the same password across multiple websites. Buyers may well be using that stolen information to access other accounts, as well.
How are hackers stealing Domino’s Pizza accounts?
There are several ways in which hackers could be stealing Domino’s Pizza accounts, two of which we have confirmed.
The first confirmed method is through phishing attacks. There were verified phishing attacks against Domino’s Pizza customers that made rounds through social media as recently as April 2020. Snopes posted an article noting an on-going phishing campaign on April 8.
The other confirmed method hackers use to steal accounts is credential stuffing. This type of cyberattack utilizes already-acquired username and password combos. Hackers pull this data using a script which automatically enters them into website login forms.
Login successes and failures are recorded, and hackers then draw from the list of working credentials. These types of attacks can also be performed in such a way that they look almost indistinguishable from legitimate login attempts.
We’ve identified numerous dark web posts selling Domino’s Pizza config files for the SNIPR credential stuffing tool. The config files sell for as little as $0.99.
As with all credential stuffing, the SNIPR credential stuffing tool requires username/password combinations to work. It’s likely hackers are obtaining this information from readily-available hacked data dumps, also for sale on many dark web marketplaces.
Hackers can effectively buy everything they need to steal Domino’s Pizza accounts on the dark web for just a few dollars, then make a quick turnaround for a small profit.
Are hackers selling other pizza chains’ accounts?
While we did find the odd seller advertising other pizza chain accounts, the vast majority were for Domino’s Pizza. But why?
One guess could be Domino’s Pizza’s vast size. It’s currently the largest delivery pizza chain in the US, with gross sales of $13.5 billion in 2018. Pizza Hut is a close contender, with gross sales of $12.2 billion that year.
Still, Domino’s Pizza makes up a disproportionate number of dark web account sales, even with its place on the national leaderboard, making that explanation difficult ground to stand on.
The most likely reason Domino’s is so heavily favored is because of the company’s Hotspot Delivery service.
With Hotspot Delivery, Domino’s doesn’t require a physical address to make deliveries. Instead, buyers can meet their Domino’s delivery driver at one of thousands of designated public locations, including parks and landmarks. This option makes it far easier to steal an account holder’s free pizza reward points without a trace.
Domino’s Pizza introduced its Hotspot Delivery service in April 2018. Most customer-created posts you’ll find on a web search directly related to the search term “Domino’s account hack” were created after April 2018.
We asked Domino’s Pizza to provide additional clarity regarding its account security protections and piracy mitigation strategies. A company spokesperson explained, “We take internet security seriously; however, we don’t discuss any corporate countermeasures publicly. Customers with concerns about their accounts can reach out to Domino’s Customer Care for assistance.”
How to protect your Domino’s Pizza account
Hungry consumers with Domino’s Pizza or other online food accounts should consider changing their approach to password security. That said, there are some limitations.
During our research, we discovered that Domino’s does not offer multi-factor authentication to help protect accounts. Neither do Papa Johns or Pizza Hut, the company’s biggest competitors. The company does offer text message and email alerts when a pizza order has been made, but once someone has hacked a Domino’s account, this account information can be changed.
Some customers have also stated that the company has started asking for account verification after a pizza is ordered, but this implementation does not appear to be widespread.
How to secure your Dominoes account from hackers:
- Change your password immediately. Use a strong, unique passphrase. Current research suggests a passphrase composed of a string of words is more secure than a password using numbers, letters, and symbols. (Try our password generator)
- Save your password to a trusted password management tool (See our guide to the best)
- Change the email address associated with the account
- Remove any saved credit cards from your account
- Monitor your account for suspicious activity
We also recommend checking to see what data of yours is currently being sold on the dark web. Websites such as Have I Been Pwned and Experian’s Dark Web Triple Scan can help you determine if your email address was part of a hack, and what type of information of yours may be circulating on dark web marketplaces.
As Domino’s Pizza has suggested, if you do believe your account was hacked, contact customer support.