DoorDash confirmed in blog post a major data breach involving 4.9 customers, delivery workers, and merchants. The breach was discovered early in September, when they discovered strange activity involving a third-party provider. This third-party accessed DoorDash user data with any authorization.
“We deeply regret the frustration and inconvenience that this may cause you. Every member of the DoorDash community is important to us, and we want to assure you that we value your security and privacy.”
It took nearly four months to for the company to notice a breach had occurred. Upon knowledge of a breach, DoorDash began an internal investigation and hired third party security experts. It was determined that the breach occurred May 4th, 2019 and affected users who joined before April 5, 2018. Any user who created a DoorDash account after this date was not affected. This does not mean that every user who created an account before this date was affected by this breach.
Compromised data includes profile information such as names, email addresses, delivery addresses, phone numbers, hashed/salted passwords, partial credit card information, and partial bank account numbers. According to DoorDash: “The information accessed is not sufficient to make fraudulent charges on your payment card…..The information accessed is not sufficient to make fraudulent withdrawals from your bank account.” Further, nearly 100,000 driver’s license numbers of Dashers were accessed.
Since the discovery, DoorDash has blocked access to the third party and has begun to implement greater methods of security across their infrastructure. This includes implementing additional layers of security around data and improving security protocols.
Further, DoorDash is reaching out to all users that were affected by this breach. They are encouraging all affected users to reset their passwords. This can be done by visiting: https://www.doordash.com/accounts/password/reset/. Further, it is important for affected users to pay attention to all activity on their credit and bank account. Any unusual activity should be immediately reported.
Contact LIFARS immediately for digital forensics services.