DoorDash Breach Exposes 4.9 Million Users' Personal Data

DDE_Server

Level 22
Thread author
Verified
Top Poster
Well-known
Sep 5, 2017
1,168

doordash hacking data breach

Do you use DoorDash frequently to order your food online?

If yes, you are highly recommended to change your account password right now immediately.

DoorDash—the popular on-demand food-delivery service—today confirmed a massive data breach that affects almost 5 million people using its platform, including its customers, delivery workers, and merchants as well.

DoorDash is a San Francisco-based on-demand food delivery service (just like Zomato and Swiggy in India) that connects people with their local restaurants and get delivered food on their doorsteps with the help of contracted drivers, also known as "Dashers."


The service operates in more than 4,000 cities across the United States and Canada.

What happened?

In a blog post published today, DoorDash said the company became aware of a security intrusion earlier this month after it noticed some "unusual activity" from a third-party service provider.

Immediately after detecting the security intrusion, the company launched an investigation and found that an unauthorized third party managed to gain access to DoorDash personal data and in some cases financial data of its users on 4th May 2019.

Yes, you read that right. The data breach happened on 4th May, but it took the company more than four months to discover the security incident.

Based on the company's statement, it appears that the systems for food delivery service itself don't have any potential weakness that may have exposed its users' data in the first place; instead, the incident involves a third-party service provider.

How many victims?

The breach affected approximately 4.9 million consumers, Dashers, and merchants, who joined DoorDash platform on or before 5th April 2018.


However, the company said that those who joined its platform after 5th April 2018, are not affected by the breach.

What type of information was accessed?

The type of data accessed by the unknown attacker(s) include both personal and financial data, as shown below:

  • Profile information of all 4.9 million affected users — This data includes their names, email addresses, delivery addresses, order history, phone numbers, and hashed passwords.
  • Financial information of some consumers — The company said the hackers also managed to get their hands on the last four digits of payment cards for some of its consumers but assured that full payment card numbers or a CVV were not accessed.
  • Financial information of some Dashers and merchants — Not just consumers, but some Dashers and merchants also had the last four digits of their bank account number accessed by the hackers.
  • Information of 100,000 Dashers — The attackers were also able to access driver's license numbers for 100,000 Dashers.

However, DoorDash believes this information is not sufficient to place fraudulent orders using payment cards or to make fraudulent withdrawals from bank accounts.

What is DoorDash now doing?

In an attempt to protect its customers, DoorDash immediately restricted further unauthorized access by the attacker and hired security experts to investigate the incident and verify the extent of the breach.

The company also said it had placed additional security controls to harden the security and further secure its customers' data, which include adding additional security layers to protect user data and improving security protocols that allow access to its systems.

DoorDash is also bringing in "outside expertise" to increase the company's ability to identify and repel such threats before it victimizes its users.

"We deeply regret the frustration and inconvenience that this may cause you. Every member of the DoorDash community is important to us, and we want to assure you that we value your security and privacy," the company said.


The company is in the process of reaching out directly to individual users affected by the data breach with more information, which may take a few days. Users can call the company's dedicated call center available 24/7 for support at 855–646–4683.

What Should You Do Now?

First of all, change your passwords for DoorDash account and any other online account where you use the same credentials. Do it even if you are not affected—to be on the safer side.

Though the financial information accessed by the hackers are not enough for making fraudulent withdrawals from bank accounts, its is always a good idea to be vigilant and keep a close eye on your bank and payment card statements for any unusual activity and report to the bank, if find any.

You should also mainly be suspicious of phishing emails, which are usually the next step of cyber criminals after a breach in an attempt to trick users into giving up further details like passwords and bank information.
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
Sucks to be them. Stop being so lazy fools and save some cash and cook.
Easier said than done with a newborn and a toddler :D. Password changed and credit monitoring is already in place. Truly it’s been a life saver since I went back to work. Just some peace where I don’t have to cook and clean for a night on top of the other parental duties.
 

Digmor Crusher

Level 23
Verified
Top Poster
Well-known
Jan 27, 2018
1,237
Been there done that, 2 small kids, still worked everyday and cooked when i got home, no problem. Now it seems like spending money on ordering meals is the "in" thing, makes no sense to me. I would rather spend my money elsewhere. Not referring to you, but some people are just plain lazy, would rather spend time on their phones than cook a healthy meal. Now I can afford to eat out/order in as much as I like, but I actually do it maybe 5 times a year not including travel, to me spending money on restaurants is a waste as in 24 hours you know where that food ends up. Not a big foodie unless I cook it or in another country trying what they have to offer.
 
Last edited:

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
Been there done that, 2 small kids, still worked everyday and cooked when i got home, no problem. Now it seems like spending money on ordering meals is the "in" thing, makes no sense to me. I would rather spend my money elsewhere. Not referring to you, but some people are just plain lazy, would rather spend time on their phones than cook a healthy meal. Now I can afford to eat out/order in as much as I like, but I actually do it maybe 5 times a year not including travel, to me spending money on restaurants is a waste as in 24 hours you know where that food ends up. Not a big foodie unless I cook it or in another country trying what they have to offer.
Very wise. Definitely not the norm for us, but for a few times while in the busy whirlwind I don’t find it a waste. I actually like cooking for the family most of the time.
As a US federal employee who’s suffered multiple data breaches, I assume every one and the Chinese govt has my info. I just stay vigilant in monitoring. I don’t trust anyone to protect data anymore.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top