Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

DoorDash confirms 4.9M accounts accessed in major server breach

Food delivery app DoorDash has become the latest company to admit there has been a security breach of its servers, with the personal details of almost 5 million app users including names and addresses accessed by an attacker in May 2019.

In a blog post, DoorDash advises it was warned of unusual activity involving a "third-party service provider" earlier in September, prompting an investigation by security experts from outside the company. It was discovered an "unauthorized third party accessed some DoorDash user data on May 4, 2019."

The company has since taken steps to block further access by that third party, as well as enhancing its security and reaching out to affected users. It is believed 4.9 million consumers, "Dashers" and merchants who joined the service on or before April 5, 2018 are affected. Accounts created after that time not affected by the intrusion.

The user data includes profile information like names, email addresses, order history, phone numbers, and hashed and salted passwords. For some consumers, the last four digits of payment cards were included, with the last four digits of bank account numbers for Dashers and merchants, but DoorDash stresses the full financial details were not accessed. For approximately 100,000 Dashers, their driver's license number was also accessed.

As well as reaching out to affected users with specific information about what was accessed in their account, DoorDash encourages users to reset their password to one that is unique to the service, but adds it "does not believe" user passwords have been compromised. The company has also set up a dedicated call center for additional support.

"We deeply regret the frustration and inconvenience that this may cause you," writes the company. "Every member of the DoorDash community is important to us, and we want to assure you that we value your security and privacy."



21 Comments

🍪
indieshack 9 Years · 336 comments

Just great - and the eventual remedy will be one (or two) years of credit monitoring. Why weren't banking details also encrypted?

🌟
lkrupp 19 Years · 10521 comments

Seems like this stuff is happening on a daily basis these days. All of our personal information is apparently on the “dark web” now, everyone’s data. If Equifax can be hacked then a mom-and-pop outfit like DoorDash should be easy peasy. .

Correct me if I’m wrong but weren't the TCP/IP and HTTP  protocols originally developed by academics and designed to allow the free and open distribution of information? Only later, when the Internet took off, did people realize security was needed and all the security stuff was bolted onto the foundation. And here we are now with no one being safe on the “web”. 

☕️
rotateleftbyte 12 Years · 1630 comments

Just wait for companies like Ring to be hacked. All those phone home/subscription door locks will just be scrap metal and electronics.  sure they are convenient but IMHO, anyone relying on a 3rd party company for access to their own home is just asking to be burgled. What if Ring goes TITSUP? What then? Oh, and your insurance company may well just decline any claims. What then eh?

These reports are just going to get more and more common as more and more people have their details stolen.
I would love to buy some [redacted] but to even get information on the various products every site requires you to register. Every time you do this you are increasing your internet presence which increases your attack surface.

I've had my identity stolen so I know at first hand what it is like to get it sorted out. It took me more than two years.

🕯️
mactodd 18 Years · 8 comments

Ring is owned by Amazon. I'm not too worried about them folding. But it's a valid point for small tier players.

auxio 19 Years · 2766 comments

lkrupp said:
Correct me if I’m wrong but weren't the TCP/IP and HTTP  protocols originally developed by academics and designed to allow the free and open distribution of information? Only later, when the Internet took off, did people realize security was needed and all the security stuff was bolted onto the foundation. And here we are now with no one being safe on the “web”. 

TCP/IP are just pure data communication layers.  Protocols for how to get data from device A to device B, guaranteed to be delivered as long as there's a data communication route between them.  No security or privacy is part of the specification, nor does it need to be.  If you want to protect that data, encrypt it (which just makes it a different type of data that  TCP/IP can still deliver).

HTTP is just another layer on top of TCP/IP which is designed for distributed, client-server based data communication to support documents (hypertext) which can contain information from a number of different sources (hyperlinked).  Again, privacy is up to you.  Which is where HTTPS came in.  It was created to wrap HTTP communications with data encryption.

But all of this doesn't really have anything to do with the data breach.  What happened here is that their servers were hacked, plain and simple.  Someone found a way to get unauthorized access to the data stored on their servers.  There are a bunch of ways to do this, and it's akin to finding a way into someone's house.  Maybe they forgot to lock one of their windows, maybe they left a key under the mat, etc.  Same goes for server security.  Blaming TCP/IP for the breach is like blaming the telephone system for a home break in.