Whole big mess - Krispy Kreme data breach sees data on over 160,000 people exposed

• Over 160,000 people had their data leaked from Krispy Kreme
• The victims are mainly employees and their family members
• The perpetrator is still unknown

Krispy Kreme has revealed exactly what details were exposed in the breach that hit the donut company in November 2024.

161,676 people were affected by the breach, with most being staff and their family members, the company has said in a filing with Maine's Office of the Attorney General.

The breach saw a very wide range of sensitive information stolen, putting many of the victims at risk of credit fraud, identity theft, and more.

A hole lot of data

The full list of data stolen in the breach includes:

• Names
• Social Security numbers
• Dates of birth
• Driver's license or state ID numbers
• Financial account information
• Financial account access information
• Credit or debit card information
• Credit or debit card information in combination with a security code, username, and password to a financial account
• Passport numbers
• Digital signatures
• Usernames and passwords
• Email addresses and passwords
• Biometric data
• USCIS or Alien Registration Numbers
• US military ID numbers
• Medical or health information
• Health insurance information

While not everyone involved will have had all of the above data leaked, it does illustrate just how important it is to properly protect sensitive information, especially when it comes to credit card and payment details.

It appears that all of the data may have been lumped into a single database, making it far easier for the attackers to steal such a trove of information.

The victims were offered 12 months of credit monitoring and identity theft protection, which has become tradition for large companies hit by sensitive data breaches.

Krispy Kreme now shows a statement laying out the details of the data breach, “On November 29, 2024, Krispy Kreme became aware of unauthorized activity on a portion of its information technology systems. Upon learning of the unauthorized activity, we immediately began taking steps to investigate, contain, and remediate the incident with the assistance of leading cybersecurity experts.”

“On May 22, 2025, our investigation into the incident determined that certain personal information was affected. There is no evidence that the information has been misused, and we are not aware of any reports of identity theft or fraud as a direct result of this incident. This notification has not been delayed as the result of a law enforcement investigation,” the statement says.

There is no confirmation on who was behind the breach, but immediately following Krispy Kreme’s disclosure, the Play ransomware gang claimed responsibility.

BleepingComputer claims the Play gang claimed the allegedly stolen files contain "private and personal confidential data, client documents, budget, payroll, accounting, contracts, taxes, IDs, finance information," and more - but did not provide any proof of its activity.

You might also like

• Here are my picks for the best antivirus software
• Krispy Kreme orders across the US disrupted after cyberattack
• These are the best password managers I could find