Cyber Security Center

DoorDash data breach affects 4.9 million customers, workers and merchants


Food delivery company DoorDash has confirmed a data breach affecting 4.9 million customers, delivery workers and merchants.

 

Screenshot (94)

4.9 million DoorDash users had their personal information stolen by hackers during a breach that happened on May 4, 2019. The breach was uncovered after the food delivery company noticed unusual activity involving a unnamed third-party service provider. The unauthorized party’s access was stopped soon after but the hackers had already gotten away with data of a number of users who joined before April 5, 2018.

According to the company, the stolen data includes profile information like names, email addresses, delivery addresses, phone numbers, order history, salted and hashed passwords. Some number of users had the four digits of their payment cards stolen as well, while some Dashers and merchants had the last four digits of their bank account accessed. Lastly, around 100,000 Dashers had their driver’s license numbers accessed.

The company notes that full credit card information (full payment card numbers and CVV), as well as full bank account information was not stolen. The information taken is not sufficient to make fraudulent charges and withdrawals.

While the company does not believe that any passwords had been compromised, they still encourage affected users to change their passwords.

Affected users will be notified

DoorDash is in the process of notifying all affected users but encourages everyone worried about their accounts to change their passwords.

It should be noted that just because a user joined before April 5, 2018, that does not mean their information has been accessed. Users who do not receive a notification from DoorDash in the upcoming days can assume their data has not been compromised.

While the company does not believe the data accessed is enough to make fraudulent charges, users are still encouraged to regularly check their payment card and bank accounts for unusual activity. Anything suspicious should be reported to the bank.

The company highlights that full payment card and bank account information was not stolen, but seems to downplay the fact that 4.9 millions users had their full names, email addresses and home address exposed. Furthermore, the company provides no further information about how the breach happened besides mentioning an unauthorized third-party accessing their systems. It is doubtful DoorDash users will appreciate the little information they receive about the incident or the fact that it took five months for the company to detect the breach.