Krispy Kreme is warning tens of thousands of Americans that they are now at risk of identity theft and fraud following a major cybersecurity incident.
In a new filing with the Office of the Maine Attorney General, the doughnut and coffeehouse giant says it has discovered a computer hack affecting 161,676 employees, former employees and members of their families.
-->In a statement, the firm says that an unknown actor gained unauthorized access to the retailer’s information technology systems, stealing multiple types of data.
According to Krispy Kreme, the attacker may have siphoned sensitive personal information, including names, Social Security numbers, dates of birth and driver’s license or state ID numbers. The thief may have also copied financial data such as financial account access records, credit or debit card entries, along with security codes, as well as usernames and passwords to financial accounts.
Other customer data that might have been seized include digital signatures, usernames and passwords, email addresses and passwords, biometric records, USCIS or Alien Registration Numbers, US military ID numbers, medical or health records and health insurance entries.
“On November 29, 2024, Krispy Kreme became aware of unauthorized activity on a portion of its information technology systems. Upon learning of the unauthorized activity, we immediately began taking steps to investigate, contain, and remediate the incident with the assistance of leading cybersecurity experts.
On May 22, 2025, our investigation into the incident determined that certain personal information was affected. There is no evidence that the information has been misused, and we are not aware of any reports of identity theft or fraud as a direct result of this incident.”
Krispy Kreme says it abruptly sent letters of notification to affected customers to provide more information about the cybersecurity incident, while offering free credit monitoring and identity protection services.
The firm says it is revamping its security protocols “to further protect the privacy of the data entrusted to us.”
