Krispy Kreme Breach Exposes Sensitive Details of Over 160,000 Customers, Including Biometrics

• After the December data breach announcement, Krispy Kreme acknowledged the exposure of over 160,000 people.
• A recent filing revealed that the multinational doughnut company and coffeehouse chain leaked sensitive details like biometrics.
• Krispy Kreme’s investigation attributed the attack to unauthorized activity, not mentioning the involvement of ransomware. 

Krispy Kreme has disclosed the impact of a significant security breach that occurred in November 2024, revealing that the cyberattack compromised the sensitive data of 161,676 individuals. 

Details were provided in a filing to Maine's Attorney General, shedding light on the extent of the intrusion. The data exposed in the breach encompassed a staggeringly wide array of information, including:

• names, 
• Social Security numbers, 
• dates of birth, 
• driver's license and state ID numbers, 
• financial account credentials, 
• credit card details (with security codes), 
• passport numbers, 
• digital signatures, 
• email passwords, 
• biometric data, 
• health and military records. 

Security experts have criticized Krispy Kreme for retaining excessively sensitive details that go far beyond operational necessities. 

Dray Agha, Senior Manager of Security Operations at Huntress, noted that since biometrics and digital signatures can't be reset like passwords, storing critical data like credit card security codes and government IDs together is not recommended. “Yet, Krispy Kreme failed to properly isolate these data points," Agha said.

Krispy Kreme’s investigation concluded on May 22, 2025, attributing the attack to unauthorized activity. Interestingly, the company claims there is no evidence of misuse or reports of identity theft so far. 

The Play ransomware group initially claimed responsibility for the data breach, though Krispy Kreme has not officially confirmed their involvement or acknowledged ransomware as a factor. 

The threat actor claimed to have stolen 184 GB worth of data that included personal information, client documents, financial information, and accounting, contracts, payroll, and budget files, which they leaked on their Tor-based website in December 2024.

To mitigate the damage, Krispy Kreme has offered impacted individuals a year of credit monitoring and identity protection, alongside fraud consultations.