Do you use DoorDash frequently to order your food online?
If yes, you are highly recommended to change your account password right now immediately.
DoorDash—the popular on-demand food-delivery service—today confirmed a massive data breach that affects almost 5 million people using its platform, including its customers, delivery workers, and merchants as well.
DoorDash is a San Francisco-based on-demand food delivery service (just like Zomato and Swiggy in India) that connects people with their local restaurants and get delivered food on their doorsteps with the help of contracted drivers, also known as “Dashers.”
The service operates in more than 4,000 cities across the United States and Canada.
What happened?
In a blog post published today, DoorDash said the company became aware of a security intrusion earlier this month after it noticed some “unusual activity” from a third-party service provider.
Immediately after detecting the security intrusion, the company launched an investigation and found that an unauthorized third party managed to gain access to DoorDash personal data and in some cases financial data of its users on 4th May 2019.
Yes, you read that right. The data breach happened on 4th May, but it took the company more than four months to discover the security incident.
Based on the company’s statement, it appears that the systems for food delivery service itself don’t have any potential weakness that may have exposed its users’ data in the first place; instead, the incident involves a third-party service provider.
How many victims?
The breach affected approximately 4.9 million consumers, Dashers, and merchants, who joined DoorDash platform on or before 5th April 2018.
However, the company said that those who joined its platform after 5th April 2018, are not affected by the breach.
What type of information was accessed?
The type of data accessed by the unknown attacker(s) include both personal and financial data, as shown below:
- Profile information of all 4.9 million affected users — This data includes their names, email addresses, delivery addresses, order history, phone numbers, and hashed passwords.
- Financial information of some consumers — The company said the hackers also managed to get their hands on the last four digits of payment cards for some of its consumers but assured that full payment card numbers or a CVV were not accessed.
- Financial information of some Dashers and merchants — Not just consumers, but some Dashers and merchants also had the last four digits of their bank account number accessed by the hackers.
- Information of 100,000 Dashers — The attackers were also able to access driver’s license numbers for 100,000 Dashers.
However, DoorDash believes this information is not sufficient to place fraudulent orders using payment cards or to make fraudulent withdrawals from bank accounts.
What is DoorDash now doing?
In an attempt to protect its customers, DoorDash immediately restricted further unauthorized access by the attacker and hired security experts to investigate the incident and verify the extent of the breach.
The company also said it had placed additional security controls to harden the security and further secure its customers’ data, which include adding additional security layers to protect user data and improving security protocols that allow access to its systems.
DoorDash is also bringing in “outside expertise” to increase the company’s ability to identify and repel such threats before it victimizes its users.
“We deeply regret the frustration and inconvenience that this may cause you. Every member of the DoorDash community is important to us, and we want to assure you that we value your security and privacy,” the company said.
The company is in the process of reaching out directly to individual users affected by the data breach with more information, which may take a few days. Users can call the company’s dedicated call center available 24/7 for support at 855–646–4683.
What Should You Do Now?
First of all, change your passwords for DoorDash account and any other online account where you use the same credentials. Do it even if you are not affected—to be on the safer side.
Though the financial information accessed by the hackers are not enough for making fraudulent withdrawals from bank accounts, its is always a good idea to be vigilant and keep a close eye on your bank and payment card statements for any unusual activity and report to the bank, if find any.
You should also mainly be suspicious of phishing emails, which are usually the next step of cyber criminals after a breach in an attempt to trick users into giving up further details like passwords and bank information.