Today, DoorDash revealed to its users that their platform suffered a major data breach on May 4, 2019, affecting approximately 4.9 million consumers, dashers, and merchants who joined the platform on or before April 5, 2018.
When DoorDash became aware of the attack earlier this month they recruited private security experts to investigate it. The investigation revealed that user data was accessed by an unauthorized third party, who is still unknown. The food delivering company has taken preventive actions to block further unauthorized access.
Though DoorDash is uninformed of any user passwords being compromised in the breach, they have requested all their users to reset their passwords and use an exclusive password just for DoorDash. In the official blog post, DoorDash has listed the type of user data that might have got compromised in the data breach.
- Profile information including names, email addresses, delivery addresses, order history, phone numbers, and more.
- For some customers, the last four digits of their consumer payment cards. However, DoorDash maintains that customers “full credit card information such as full payment card numbers or a CVV was not accessed.” Also, DoorDash confirms that the accessed information is not enough to make any fraudulent charges on the payment card.
- For some Dashers and merchants, the last four digits of their bank account number. Again DoorDash confirms that the full bank account information was not accessed and the accessed information is insufficient to perform any illicit withdrawals from the bank account.
- Approximately 1 lakh Dashers driver’s license numbers were also compromised
In the blog post, DoorDash says that they have now taken necessary remedial steps to avoid such security breaches by including additional protective security layers around the data, security protocols that govern access to systems and have also enrolled private expertise to identify and repel threats more accurately in the future. Currently, DoorDash is in the process of reaching out to its affected customers.
DoorDash has also clarified that the customers who joined the platform after April 5, 2018, are not affected by this data breach.
However, DoorDash has neither clarified the details of how the third party accessed the user’s data nor have they explained how the company came to know about the data breach. The blog post also does not throw any light on why the company took so long in detecting this security breach.
Many users are indignant about DoorDash’s lack of detailing in the blog post.
Door Dash should be getting absolutely cooked for this. This breach happened May 4 — nearly five months ago. And they’re informing customers for the first time just now. Unacceptable. pic.twitter.com/xqAGKYESWW
— Peter Frost (@peterfrost) September 27, 2019
Don’t let ‘relatively’ low 5M records breached fool you. @DoorDash data breach is significant. Many suppliers/delivery people effected. Blaming it on 3rd-party service provider, not clear why it took #Doordash 5 months to detect breach. HT @zackwhittakerhttps://t.co/UIN2CHSi10
— Ben Rothke (@benrothke) September 26, 2019
Many people are also of the opinion that until substantial penalties are levied against these companies, data breaches will continue to occur. Many are of the opinion that companies should stop asking for personal information while confirming a customer.
A user on Hacker News comments, “In other words… “We leaked a bunch of your personal information, but at least it’s not enough data to steal your money!” All of these leaks have the cumulative effect of making ineffective very commonly used security verification questions: “Can I verify that last 4 of your social? And the last 4 of your credit card?”
How long will it take for us to accept that this kind of data can no longer be assumed private? The sooner, the better, mainly so companies stop using it as a secondary form of identity verification.”
Head over to the DoorDash blog for more details about the data breach.