4.9 million customers, workers, and merchants affected in DoorDash data breach

Cal Jeffrey

Posts: 2,643   +616
Staff member

According to a DoorDash spokesperson, hackers infiltrated databases on May 4, 2019. Apparently, not all customers were affected by the intrusion. The company claims that those who joined the platform after April 5, 2018, are safe. This would seem to indicate that the hackers only gained access to a database used earlier in the company’s history.

DoorDash became aware of suspicious activity earlier this month. The company launched an investigation and concluded the failure was the fault of “a third-party service provider,” but it did not go into specifics.

“We immediately launched an investigation and outside security experts were engaged to assess what occurred,” DoorDash said in the written disclosure. “We were subsequently able to determine that an unauthorized third party accessed some DoorDash user data on May 4, 2019. We took immediate steps to block further access by the unauthorized third party and to enhance security across our platform.”

The “unauthorized third party” stole data, which included names, emails, delivery addresses, order history, phone numbers, and passwords. The company says that the passwords were “hashed and salted,” meaning they were indecipherable outside of the database.

"We deeply regret the frustration and inconvenience that this may cause you. Every member of the DoorDash community is important to us, and we want to assure you that we value your security and privacy. "

More alarmingly, that data also contained the last four digits of payment cards as well as the last four digits of Dashers and merchant bank accounts. DoorDash says that the full numbers and CVV codes were not taken.

Nearly 100,000 delivery workers also had their driver’s license information stolen as well.

TechCrunch reported almost precisely a year ago that DoorDash customers began complaining about their accounts being hacked. At the time, the company denied that it had leaked data and claimed that the hackers were using “credential stuffing” attacks.

Credential stuffing is when an attacker uses a list of user names and passwords stolen from one website and tries them all on another website. However, many DoorDash customers who were hacked at that time said they used a unique password for the platform, ruling out this method. It is unclear if the two attacks are somehow related.

The company is reaching out to affected parties to let them know exactly what information was compromised. It does not believe that the passwords are readable, but suggests that users reset them just in case.

Image credit: David Tonelson via Shutterstock

Permalink to story.


Uncle Al

Posts: 7,601   +6,114
Correction ....
"Company says 'third-party service provider' is to blame"
The company picked them, so the company is to blame for bad judgement and failing to fully vet them before giving them the power ......
  • Like
Reactions: Cal Jeffrey


Posts: 482   +422
Well, it happened only a 1 /2 million times before....so they assumed it won't happen to them and why hire and spend money on smart IT people to safeguard their systems?? And besides, it just data about some customers.....


Posts: 992   +1,469
TechSpot Elite
And this is why the EU GDPR is a good idea. Not disclosing a data breach in a timely manner or outright lying about it carries a higher penalty btw.

I know the GDPR does not apply here.


*shakes head*
Right there with you.

Correction ....
"Company says 'third-party service provider' is to blame"
The company picked them, so the company is to blame for bad judgement and failing to fully vet them before giving them the power ......
There's some decent logic to this statement. However, it is fairly easy for one company to misrepresent itself to another, whether deliberately or not.


Another day, another breach...I changed my password *sigh*
That won't help with this kind of breach. Your password wasn't compromised, your personal details were. Your name, phone number, address, SSN, DOB and other such data are what's at play...