DoorDash confirms data breach affecting 4.9m customers and workers

27 Sep 2019

Image: © SFIO CRACHO/Stock.adobe.com

The company confirmed that 100,000 driving licence numbers were accessed, along with almost five million email addresses, delivery addresses, phone numbers and hashed passwords.

On Thursday (26 September), US food delivery giant DoorDash confirmed that data belonging to 4.9m of its customers, workers and merchants was accessed in May 2019.

In a blogpost, the company said that the breach was not discovered until this month.

A spokesperson for DoorDash said: “We immediately launched an investigation and outside experts were engaged to assess what occurred. We were subsequently able to determine that an unauthorised third party accessed some DoorDash user data on 4 May 2019.

“We took immediate steps to block further access by the unauthorised third party and to enhance security across our platform. We are reaching out directly to affected users.”

The company noted that not every user was affected. Approximately 4.9m consumers, workers and merchants who joined the platform on or before 5 April 2018 were affected. Users who joined DoorDash after this date were unaffected by the breach.

Data accessed

The company outlined what type of data may have been accessed. This included names, email addresses, delivery addresses, order history and phone numbers, as well as hashed, salted passwords. This means that the passwords obtained are indecipherable to third parties.

While full credit card information was not accessed, the last four digits of payment cards belonging to some customers could be seen. Similarly, the last four digits of bank account numbers belonging to DoorDash drivers was accessible, but the entire bank account number was not.

The company also said that driving licence numbers for approximately 100,000 workers were accessed.

In response to the breach, the company said that it has “taken a number of additional steps to further secure” user data. This includes adding protective security layers around the data, improving security protocols that govern access to its systems, and bringing in outside expertise to increase the company’s ability to identify and repel threats.

While the company said it does not believe user passwords were accessed, it urged customers to change their passwords to one that is unique to the platform out of an abundance of caution.

According to TechCrunch, DoorDash spokesperson Mattie Magdovitz blamed the breach on a third-party service provider, but did not name the suspect.

Peter Goldstein, CTO and Co-founder of Valimail, explained what the stolen data could be used for: “DoorDash’s data breach – which exposed names, email addresses, delivery addresses, order history, phone numbers and hashed passwords – puts close to five million people at increased risk for phishing attacks and other fraudulent activity.

“Cybercriminals can use this kind of data, in combination with effective and widely used email impersonation techniques, to send people especially convincing phishing emails.”

Previous security concerns

On 26 September 2018, exactly one year ago, dozens of people tweeted DoorDash complaining that their accounts had been hacked and fraudulent orders had been charged to their accounts. There were similar complaints made on Reddit.

At the time, TechCrunch reported: “In many cases, the hackers changed their email addresses so that the user could not regain access to their account until they contacted customer services. Yet many said that they never got a response from DoorDash, or if they did, there was no resolution.”

The tech publication spoke to some affected customers, a number of which said that their password was unique to DoorDash and generated by a password manager.

DoorDash denied that there had been any breach and suggested that the customers had been victims of credential stuffing, which would mean that hackers took lists of stolen usernames and passwords found online and used them on other sites.

One of the individuals affected told TechCrunch: “Simply makes no sense that so many people randomly had their accounts infiltrated for so much money at the same time.”

Kelly Earley was a journalist with Silicon Republic

editorial@siliconrepublic.com