DoorDash announces large scale data breach, affecting 4.9 million.
DoorDash recently announced that discovered unusual activity from a third-party service provider, and after looking into this further, determined an unauthorized third party was able to access user data on May 4, 2019. According to the announcement, it took immediate action to block access so customers would not continue to be affected. DoorDash spokesperson Mattie Magdovitz confirmed, “We immediately launched an investigation and outside security experts were engaged to assess what occurred.”
The breach involved access to customer names, email addresses, delivery locations, order history and phone numbers. In some instances, the third party also accessed the last four digits of cards used for payment as well as bank accounts were obtained. Full account numbers were not retrieved, according to the company.
The customers affected by the data breach joined on or before April 5, 2018, and the company indicated that anyone who joined after this date was not affected. It has made changes to its security system to include improved protocols for protecting customers’ information.
Doordash said anyone who is concerned that their data has been accessed or could have been accessed should change their account password immediately. In addition, the company said, “We are in the process of notifying those affected as quickly as possible and will continue to reach out over the coming days.”
DoorDash also reported, “We do not believe that user passwords have been compromised and the information accessed is not sufficient to make fraudulent charges on payment cards or fraudulent withdrawals from bank accounts. Regardless, it is a security best practice to always be vigilant and regularly check your payment card and bank account for unusual activity. If you see something suspicious, you should promptly report it to your financial institution.”
A blog post concerning the matter reads, “We have taken a number of additional steps to further secure your data, which include adding additional protective security layers around the data, improving security protocols that govern access to our systems, and bringing in outside expertise to increase our ability to identify and repel threats…We deeply regret the frustration and inconvenience that this may cause you. Every member of the DoorDash community is important to us, and we want to assure you that we value your security and privacy.”
In 2018, customers also reported they believed their accounts had been hacked, but DoorDash denied it. “We do not have any information to suggest that DoorDash has suffered a data breach,” said spokesperson Becky Sosnov. “To the contrary, based on the information available to us, including internal investigations, we have determined that the fraudulent activity reported by consumers resulted from credential stuffing.”
At the time, DoorDash was asked to change the password policy to ensure customer information was not so easily accessible, if this type of attack had indeed occurred. It is unclear whether the company implemented any changes after this suggestion was made. However, some of the customers who complained also indicated their passwords were unique to the site or app, which would rule out a credential stuffing attack. There was no evident resolution to these complaints.
In the most recent incident, 100,000 delivery workers also had their driver’s license information stolen. In the announcement, the company indicated, “Approximately 4.9 million consumers, Dashers, and merchants who joined our platform on or before April 5, 2018, are affected.”