DoorDash confirms 4.9M accounts accessed in major server breach

Posted:
in General Discussion
Food delivery app DoorDash has become the latest company to admit there has been a security breach of its servers, with the personal details of almost 5 million app users including names and addresses accessed by an attacker in May 2019.




In a blog post, DoorDash advises it was warned of unusual activity involving a "third-party service provider" earlier in September, prompting an investigation by security experts from outside the company. It was discovered an "unauthorized third party accessed some DoorDash user data on May 4, 2019."

The company has since taken steps to block further access by that third party, as well as enhancing its security and reaching out to affected users. It is believed 4.9 million consumers, "Dashers" and merchants who joined the service on or before April 5, 2018 are affected. Accounts created after that time not affected by the intrusion.

The user data includes profile information like names, email addresses, order history, phone numbers, and hashed and salted passwords. For some consumers, the last four digits of payment cards were included, with the last four digits of bank account numbers for Dashers and merchants, but DoorDash stresses the full financial details were not accessed. For approximately 100,000 Dashers, their driver's license number was also accessed.

As well as reaching out to affected users with specific information about what was accessed in their account, DoorDash encourages users to reset their password to one that is unique to the service, but adds it "does not believe" user passwords have been compromised. The company has also set up a dedicated call center for additional support.

"We deeply regret the frustration and inconvenience that this may cause you," writes the company. "Every member of the DoorDash community is important to us, and we want to assure you that we value your security and privacy."
«1

Comments

  • Reply 1 of 21
    Just great - and the eventual remedy will be one (or two) years of credit monitoring. Why weren't banking details also encrypted?
    lordjohnwhorfinwatto_cobra
  • Reply 2 of 21
    lkrupplkrupp Posts: 10,557member
    Seems like this stuff is happening on a daily basis these days. All of our personal information is apparently on the “dark web” now, everyone’s data. If Equifax can be hacked then a mom-and-pop outfit like DoorDash should be easy peasy. .

    Correct me if I’m wrong but weren't the TCP/IP and HTTP  protocols originally developed by academics and designed to allow the free and open distribution of information? Only later, when the Internet took off, did people realize security was needed and all the security stuff was bolted onto the foundation. And here we are now with no one being safe on the “web”. 
    watto_cobra
  • Reply 3 of 21
    Just wait for companies like Ring to be hacked. All those phone home/subscription door locks will just be scrap metal and electronics.  sure they are convenient but IMHO, anyone relying on a 3rd party company for access to their own home is just asking to be burgled. What if Ring goes TITSUP? What then? Oh, and your insurance company may well just decline any claims. What then eh?

    These reports are just going to get more and more common as more and more people have their details stolen.
    I would love to buy some [redacted] but to even get information on the various products every site requires you to register. Every time you do this you are increasing your internet presence which increases your attack surface.

    I've had my identity stolen so I know at first hand what it is like to get it sorted out. It took me more than two years.

    dysamoriawatto_cobra
  • Reply 4 of 21
    Ring is owned by Amazon. I'm not too worried about them folding. But it's a valid point for small tier players.
    indieshackwatto_cobra
  • Reply 5 of 21
    auxioauxio Posts: 2,763member
    lkrupp said:
    Correct me if I’m wrong but weren't the TCP/IP and HTTP  protocols originally developed by academics and designed to allow the free and open distribution of information? Only later, when the Internet took off, did people realize security was needed and all the security stuff was bolted onto the foundation. And here we are now with no one being safe on the “web”. 
    TCP/IP are just pure data communication layers.  Protocols for how to get data from device A to device B, guaranteed to be delivered as long as there's a data communication route between them.  No security or privacy is part of the specification, nor does it need to be.  If you want to protect that data, encrypt it (which just makes it a different type of data that  TCP/IP can still deliver).

    HTTP is just another layer on top of TCP/IP which is designed for distributed, client-server based data communication to support documents (hypertext) which can contain information from a number of different sources (hyperlinked).  Again, privacy is up to you.  Which is where HTTPS came in.  It was created to wrap HTTP communications with data encryption.

    But all of this doesn't really have anything to do with the data breach.  What happened here is that their servers were hacked, plain and simple.  Someone found a way to get unauthorized access to the data stored on their servers.  There are a bunch of ways to do this, and it's akin to finding a way into someone's house.  Maybe they forgot to lock one of their windows, maybe they left a key under the mat, etc.  Same goes for server security.  Blaming TCP/IP for the breach is like blaming the telephone system for a home break in.
    coolfactorllamadysamoriauraharawatto_cobra
  • Reply 6 of 21
    DoorDash. Ha!

    I first tried this service a few months ago because it was the only food delivery service in the small town where I work.

    The restaurant from which I ordered is five minutes away. The restaurant immediately began preparing the food when I submitted the order and it was ready for pickup within minutes. Using the app, I watched one driver accept the run only to cancel minutes later before another driver from almost 30 minutes away accepted it. The quesadillas were finally delivered to me by a smelly, middle-aged obese man wearing a tank top and too-short shorts driving a filthy SUV full of passengers including an unrestrained child in the front seat about an hour and fifteen minutes later.

    I got a full refund and canceled my service. Thankfully, I joined and canceled in June.
    coolfactorrazorpitdysamoriaboltsfan17watto_cobra
  • Reply 7 of 21
    So DoorDash is like Uber for Food Delivery? People can actually make money doing that?
    watto_cobra
  • Reply 8 of 21
    gatorguygatorguy Posts: 24,647member
    Just wait for companies like Ring to be hacked.  Oh, and your insurance company may well just decline any claims. What then eh?

    Bull. What home insurer is allowed to deny a claim because your security system failed? 

    I agree with you that there are valid reasons to avoid smart-locks on your home. I wouldn't have one either. Pushing FUD is unnecessary and beneath you. Your insurer is not going to deny a claim because your security was hacked. 
    dysamoria
  • Reply 9 of 21
    razorpitrazorpit Posts: 1,796member
    So DoorDash is like Uber for Food Delivery? People can actually make money doing that?
    There are some things I don't understand about the modern world. "Services" such as this are one of them. I guess for the bigger cities it is worth it. My luck would be @zroger73 's experience.  :D
    zroger73dysamoriawatto_cobra
  • Reply 10 of 21
    So DoorDash is like Uber for Food Delivery? People can actually make money doing that?
    Yes, but not much. To net an income, you need:

    1. A steady stream of orders to accept.
    2. A small, economical vehicle - ideally, a scooter that gets 100+ MPG and costs very little to insure and has a luggage rack on the back.
    3. Customers who tip far more than the minimum amount.

    The most successful will drive for Uber and Lyft and DoorDash and Waitr so they're constantly on the go.

    I see a lot of Waitr drivers when I'm in restaurants, but I rarely see the same ones twice. A lot of them think it's easy money then they realize they're lucky to break even and give up after a few weeks or months.
    watto_cobra
  • Reply 11 of 21
    sflocalsflocal Posts: 6,136member
    This is precisely why these apps should integrate Apple-pay into their systems so that I don't have to give them my credit card number.  My parking-meter app does that, why doesn't door dash?
    StrangeDayswatto_cobra
  • Reply 12 of 21
    gatorguygatorguy Posts: 24,647member
    sflocal said:
    This is precisely why these apps should integrate Apple-pay into their systems so that I don't have to give them my credit card number.  My parking-meter app does that, why doesn't door dash?
    I don't think credit card numbers were accessed. This had more to do with names and addresses and other personal information which wouldn't be mitigated by using Apple Pay. 

    So integrating it as a payment method wouldn't have helped in this case.
    edited September 2019
  • Reply 13 of 21
    zroger73 said:
    So DoorDash is like Uber for Food Delivery? People can actually make money doing that?
    Yes, but not much. To net an income, you need:

    1. A steady stream of orders to accept.
    2. A small, economical vehicle - ideally, a scooter that gets 100+ MPG and costs very little to insure and has a luggage rack on the back.
    3. Customers who tip far more than the minimum amount.

    The most successful will drive for Uber and Lyft and DoorDash and Waitr so they're constantly on the go.

    I see a lot of Waitr drivers when I'm in restaurants, but I rarely see the same ones twice. A lot of them think it's easy money then they realize they're lucky to break even and give up after a few weeks or months.
    Laissez-faire capitalism + lazy entrepreneurs + tech trends + a nation of lousy employment opportunities = incredible capitalist opportunity to exploit the under-employed with “employment opportunity” money-making schemes.
    watto_cobra
  • Reply 14 of 21
    macguimacgui Posts: 2,469member
    • full credit card information such as full payment card numbers or a CVV was not accessed. The information accessed is not sufficient to make fraudulent charges on your payment card.
    • For some Dashers and merchants, the last four digits of their bank account number. However, full bank account information was not accessed. The information accessed is not sufficient to make fraudulent withdrawals from your bank account.
    All this tells me that the hacker was a kid playing around, a hacker trying to show vulnerabilities, a hackere who wanted home addresses for a specific reason, or a bad hacker who couldn't get complete credit card and banking information.

    Other hackers have been able to get complete credit card and banking information. Either they're much better than this lot, or DD had somewhat better security.

    To that end, none of the bullet points leads me to believe Apple Pay shouldn't be implemented. Like failing hard drives, merchants getting hacked and customers getting identities stolen seems more and more likely a matter of when, not if.

    People who run companies and corporations that aggregate and store our personal information need to have criminal culpability assigned or this will never stop. True, it can never be completely eliminated, but it can be much more secure and much less frequent than it is. And so it should be.
    watto_cobra
  • Reply 15 of 21
    My rule dealing with any new online services is simple nowadays, no paypal or apple pay option? no business. 
    edited September 2019 watto_cobra
  • Reply 16 of 21
    gatorguy said:
    sflocal said:
    This is precisely why these apps should integrate Apple-pay into their systems so that I don't have to give them my credit card number.  My parking-meter app does that, why doesn't door dash?
    I don't think credit card numbers were accessed. This had more to do with names and addresses and other personal information which wouldn't be mitigated by using Apple Pay. 

    So integrating it as a payment method wouldn't have helped in this case.
    I'm not so sure. My debit card, which was attached to my DD account and never used except at Safeway and our local Sprouts store (groceries/veg/etc) and was just a few months old (new bank), was compromised in May of this year and used on food delivery sent to NY and Canada (I'm in AZ). I figured it was DD so I deleted my account. A  bit too coincidental for me. I typically use CC's for everything but like a dummy, used my debit card that one time. Never again. CC only unless I'm at the register at Safeway or another store like that.
    watto_cobra
  • Reply 17 of 21
    sflocal said:
    This is precisely why these apps should integrate Apple-pay into their systems so that I don't have to give them my credit card number.  My parking-meter app does that, why doesn't door dash?
    They do use Apple Pay. 
    They’re still a rip off when you see just how much it costs to get food delivered, in some cases it’s double what it would cost for you to get off your butt and go get it yourself. 
    watto_cobra
  • Reply 18 of 21
    So DoorDash is like Uber for Food Delivery? People can actually make money doing that?
    it has been in asia for some time now. makes much more sense in asia where most people live in cities and many smaller restaurants do not want to pay for a delivery fleet, but in the west it must be hard to implement what with villages, towns and hamlets.
    watto_cobra
  • Reply 19 of 21
    gatorguy said:
    Just wait for companies like Ring to be hacked.  Oh, and your insurance company may well just decline any claims. What then eh?

    Bull. What home insurer is allowed to deny a claim because your security system failed? 

    I agree with you that there are valid reasons to avoid smart-locks on your home. I wouldn't have one either. Pushing FUD is unnecessary and beneath you. Your insurer is not going to deny a claim because your security was hacked. 
    I think there is a misunderstanding here. I agree with "gator" that no insurance company would invalidate your insurance just because a security company had a breach. But please re-read his opening paragraph. "rotateleftbyte" was clearly saying that if the company went bankrupt and then if you continued to use the product then your insurance company may consider your continued use to be negligence and they may not pay up. If any product is demonstrably insecure and the user continues to use it after the company goes bankrupt, then sure, any insurance company is likely to deny your coverage. And "gator" was talking about a completely different scenario, so you are both right in your own scenarios.

    On the negative side, I don't think rotateleftbyte would win any writing awards for clarity, and I don't think gatorguy would win any awards for reading comprehension.
    macguiwatto_cobra
  • Reply 20 of 21
    gatorguygatorguy Posts: 24,647member
    gatorguy said:
    Just wait for companies like Ring to be hacked.  Oh, and your insurance company may well just decline any claims. What then eh?

    Bull. What home insurer is allowed to deny a claim because your security system failed? 

    I agree with you that there are valid reasons to avoid smart-locks on your home. I wouldn't have one either. Pushing FUD is unnecessary and beneath you. Your insurer is not going to deny a claim because your security was hacked. 
    I think there is a misunderstanding here. I agree with "gator" that no insurance company would invalidate your insurance just because a security company had a breach. But please re-read his opening paragraph. "rotateleftbyte" was clearly saying that if the company went bankrupt and then if you continued to use the product then your insurance company may consider your continued use to be negligence and they may not pay up. If any product is demonstrably insecure and the user continues to use it after the company goes bankrupt, then sure, any insurance company is likely to deny your coverage. And "gator" was talking about a completely different scenario, so you are both right in your own scenarios.

    On the negative side, I don't think rotateleftbyte would win any writing awards for clarity, and I don't think gatorguy would win any awards for reading comprehension.
    LOL....
    Gotcha. Thank you sir for pointing it out. 

    Still unless the insurer (or local laws?) has explicitly required you to have and maintain a working security system then AFAICT your insurer cannot deny a claim simply because your system failed. You weren't contractually obligated to have or use one.

    Receiving an insurance discount for having one that subsequently doesn't work (or you forgot to arm, it happens) might muddy the wagers of course. Check with your insurance company. 
    edited September 2019
Sign In or Register to comment.