Food delivery app DoorDash has become the latest company to admit there has been a security breach of its servers, with the personal details of almost 5 million app users including names and addresses accessed by an attacker in May 2019.
In a blog post, DoorDash advises it was warned of unusual activity involving a "third-party service provider" earlier in September, prompting an investigation by security experts from outside the company. It was discovered an "unauthorized third party accessed some DoorDash user data on May 4, 2019."
The company has since taken steps to block further access by that third party, as well as enhancing its security and reaching out to affected users. It is believed 4.9 million consumers, "Dashers" and merchants who joined the service on or before April 5, 2018 are affected. Accounts created after that time not affected by the intrusion.
The user data includes profile information like names, email addresses, order history, phone numbers, and hashed and salted passwords. For some consumers, the last four digits of payment cards were included, with the last four digits of bank account numbers for Dashers and merchants, but DoorDash stresses the full financial details were not accessed. For approximately 100,000 Dashers, their driver's license number was also accessed.
As well as reaching out to affected users with specific information about what was accessed in their account, DoorDash encourages users to reset their password to one that is unique to the service, but adds it "does not believe" user passwords have been compromised. The company has also set up a dedicated call center for additional support.
"We deeply regret the frustration and inconvenience that this may cause you," writes the company. "Every member of the DoorDash community is important to us, and we want to assure you that we value your security and privacy."
21 Comments
Just great - and the eventual remedy will be one (or two) years of credit monitoring. Why weren't banking details also encrypted?
Seems like this stuff is happening on a daily basis these days. All of our personal information is apparently on the “dark web” now, everyone’s data. If Equifax can be hacked then a mom-and-pop outfit like DoorDash should be easy peasy. .
Correct me if I’m wrong but weren't the TCP/IP and HTTP protocols originally developed by academics and designed to allow the free and open distribution of information? Only later, when the Internet took off, did people realize security was needed and all the security stuff was bolted onto the foundation. And here we are now with no one being safe on the “web”.
Ring is owned by Amazon. I'm not too worried about them folding. But it's a valid point for small tier players.