Hungry hackers are causing a world of trouble for donut maker Dunkin.

The New York Attorney General sued the retail chain formerly known as Dunkin Donuts for its handling of a cyber-security lapse that gave hackers access to hundreds of thousands in store credit that could only be used to buy crullers and other Dunkin products.

The AG said the snack attack started in 2015, when nearly 20,000 customers with smartphone app accounts for managing their “DD cards” were stolen.

Some of the cards were resold online, the AG said — potentially to other hungry hackers browsing the dark web. But other cards were not sold, a source told The Post, noting that the only potential use for them was to stock up on jelly donuts, iced coffee and other Dunkin goodies.

The app developer for Dunkin told the company “repeatedly” about “ongoing attempts to log in to customer accounts” but the java chain didn’t investigate, tell customers or make any changes to protect the accounts, the complaint alleges.

In the process, tens of thousands of dollars were stolen from customers and Dunkin’ didn’t pay users back for the thefts, the court papers charge. If the customer had enabled a service called “auto reload,” which automatically reloads registered cards when the balance gets low, “the attacker could use the DD cards indefinitely,” the Letitia James lawsuit said.

Because Dunkin didn’t fix the problem, 300,000 customers’ accounts were attacked again throughout 2018 — and Dunkin’ misled customers telling them there had been “attempted” access into their accounts while hiding the fact that the hackers had actually gotten in, the court papers charge.

“Instead of disclosing that customers’ accounts had been accessed without authorization, Dunkin’ falsely represented that it and its vendor had concluded only that a third party had ‘attempted’ or ‘may have attempted to log in’,” the court documents charge.

“There’s no sugarcoating the fact that @dunkindonuts did nothing to protect consumers’ accounts as the dough continued to roll in…” AG spokesperson Fabien Levy said in a tweet promoting a press release that accused the company of “Glazing Over Cyberattacks.”

The AG’s office wants Dunkin’ to be fined $5,000 per customer account for falsely claiming the accounts were secure. The office is also seeking $10 fines for each customer’s account that was hacked and not notified of the breach.

The AG — who is also seeking unspecified restitution for customers — also wants Dunkin’ to implement safeguards to prevent potential future breaches from happening, the court papers say.

“There is absolutely no basis for these claims by the New York Attorney General’s Office,” a rep with Dunkin’ Brands, Karen Raskopf, said. “For more than two years, we have fully cooperated with the AG’s investigation into this matter, and we are shocked and disappointed that they chose to move ahead with this lawsuit given the lack of merit to their case.”

Raskopf said that in 2015, accounts didn’t contain customer payment information. Still, when Dunkin’ was notified of the breach, it investigated and found that no accounts were hacked.

“Therefore, there was no reason to notify our customers,” Raskopf said. “We take the security of our customers’ data seriously and have robust data protection safeguards in place.