Cybercrime , Fraud Management & Cybercrime , Incident & Breach Response

DoorDash Says 4.9 Million Records Breached

'Unusual Activity' By Third-Party Service Provider to Blame
DoorDash Says 4.9 Million Records Breached
Photo: DoorDash

Food delivery startup DoorDash says 4.9 million customer, contactor and merchant records were breached after "unusual activity" by a third-party service provider.

See Also: Webinar | Passwords: Here Today, Gone Tomorrow? Be Careful What You Wish For.

The company says it became aware of an issue earlier this month and launched an investigation with outside security experts. It did not identity the service provider.

"We were subsequently able to determine that an unauthorized third party accessed some DoorDash user data on May 4, 2019," it says in a blog post on Thursday. "We took immediate steps to block further access by the unauthorized third party and to enhance security across our platform. We are reaching out directly to affected users."

The breach affects those who signed up for DoorDash before April 5, 2018. The leaked data includes profile information, which would include names, email addresses, delivery addresses, order histories, phone numbers and hashed and salted passwords.

Some consumers had the last four digits of their payment cards leaked, but the full payment card number and CVV was not exposed. "The information accessed is not sufficient to make fraudulent charges on your payment card," DoorDash says.

For some of its delivery contractors - which it calls Dashers - and merchants, the last four digits of their bank account number was exposed. Also, the driver's license numbers for 100,000 Dashers was exposed.

"We deeply regret the frustration and inconvenience that this may cause you," DoorDash says.

A DoorDash spokeswoman says the company can't provide further detail beyond the blog post for security reasons, but the company has notified law enforcement and regulators.

Change Your Password

Since the breach, DoorDash says it has added "protective security layers" around its data, improved its security protocols for access and brought in outside consultants.

The leaked passwords were hashed and salted, which somewhat reduces the overall risk that a password will be discovered and used to try to log into another service. That technique is often referred to as credential stuffing (see: Fighting Credential Stuffing Attacks).

Hashing is the process of taking a plain-text password and running it through a one-way algorithm to create a mathematical representation, which is stored by a service provider. Salt is an additional security measure that involves adding random data, making the hash more resistant to brute force attacks or the use of rainbow tables.

DoorDash didn't specify what hashing algorithm it uses. A spokeswoman says "third-party analysis has confirmed the strength of the hashed, salted passwords is compliant with industry leading standards, including the NIST [National Institute of Standards and Technology] digital identity guidelines."

Many organizations these days opt for the bcrypt algorithm, which is more resistant to cracking attempts. That's because generating random bcrypt hashes based on possible passwords is slower using bcrypt than other hashing algorithms, such as SHA-1.

DoorDash says it doesn't believe the leaked hashes will result in password compromises, but it nonetheless is recommending that those affected change their passwords.

Attackers collect lists of breached usernames and passwords in hope of catching out someone who has reused a password on another online service. Security experts recommended that unique passwords be used for every online service.

Revealing Crumbs

Although it's unclear why the data was taken, several experts say DoorDash would be an attractive target due to the level of detail it collects - such as food allergies - and users' locations.

Jake Williams, founder of Rendition Infosec in Atlanta and a former National Security Agency analyst, writes on Twitter that he doubts there was a nation-state behind DoorDash. But he says "for some people, food order history is probably extremely sensitive."


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.eu, you agree to our use of cookies.