Dunkin’ Donuts’ loyalty program, DD Perks, was hacked by a third party, Forbes reported recently.

Likely, the hacker wasn’t looking for free donuts. The DD Perks rewards program boasts 9 million members, whose personal data was jeopardized, including information such as full names, email addresses, and DD Perks account numbers.

Dunkin’ Donuts believes there could be crossover from other breaches. In its article, Forbes shared a statement provided by Dunkin’ Donuts: “We believe that these third-parties obtained usernames and passwords from security breaches of other companies,” reads Dunkin’s statement. “These individuals then used the usernames and passwords to try to break in to various online accounts across the Internet.”

The company went on to warn that the third parties involved might have been able to log into DD Perks accounts if customers used the same username and password for other accounts not related to the donut chain.

Not only is there the issue of the hacker having customer information, but there’s a growing “loyalty points economy” on the dark web, writes Motherboard. “’Grab hacked Account Dunkin Donut now with cheap ever price on market!’ one listing currently available on Dream Marketplace, likely the largest dark web market at the time of writing, reads.”

It’s unclear whether the accounts involved in the most recent hack are involved in the loyalty points for sale on the dark web already. If not, there’s a good chance they will be soon enough.

Get the full story at Forbes.