- Over 160,000 people had their data leaked from Krispy Kreme
- The victims are mainly employees and their family members
- The perpetrator is still unknown
Krispy Kreme has revealed exactly what details were exposed in the violation that hit the donut company in November 2024.
161,676 people were affected by the violation, with most of which were staff and their family members, the company has said in an archiving to Main’s Office of the Law Attorney.
The violation experienced a very wide range of sensitive information stolen, which jeopardized many of the victims of credit fraud, identity theft and more.
A hole many data
The full list of data stolen in the violation includes:
- Names
- Social security numbers
- Dates of birth
- Driver’s license or state -id numbers
- Information on financial account
- Information on access to financial account
- Credit or debit card information
- Credit or debit card information in combination with a security code, username and password for a financial account
- Passport numbers
- Digital signatures
- Usernames and Passwords
- E -Mail addresses and passwords
- Biometric data
- USCIS or foreign registration numbers
- US Military ID numbers
- Medical or health information
- Information on health insurance
Although not everyone involved will have had all of the above data leaked, it illustrates how important it is to protect sensitive information correctly, especially when it comes to credit card and payment information.
It seems that all data may have been clumped into a single database, making it much easier for attackers to steal such a box of information.
The victims were offered 12 months of credit monitoring and protection of identity theft, which has become a tradition of large companies affected by sensitive data violations.
Krispy Kreme is now showing a statement that makes the details of the data violation, “On November 29, 2024, Krispy Kreme became aware of unauthorized activity on some of its information technology systems. After learning from the unauthorized activity activity activity, we immediately began to take steps to investigate, contain and alleviate the incident with the help of leading cybereecs.”
“On May 22, 2025, our investigation into the incident determined that certain personal information was affected. There is no evidence that the information has been abused and we are not aware of any reports of identity theft or fraud as a direct result of this incident. This review has not been delayed as a result of a law enforcement investigation,” the statement said.
There is no confirmation of who was behind the violation, but immediately after Krispy Kreme’s reveal, the Play Ransomware band assumed the responsibility.
Bleeping computer Claims that Play Gang argued that the allegedly stolen files contain “private and personal confidential data, client documents, budget, payroll, accounting, contracts, taxes, IDs, financing information” and more – but provided no evidence of its activity.
