DoorDash confirms 4.9M accounts accessed in major server breach
Food delivery app DoorDash has become the latest company to admit there has been a security breach of its servers, with the personal details of almost 5 million app users including names and addresses accessed by an attacker in May 2019.
In a blog post, DoorDash advises it was warned of unusual activity involving a "third-party service provider" earlier in September, prompting an investigation by security experts from outside the company. It was discovered an "unauthorized third party accessed some DoorDash user data on May 4, 2019."
The company has since taken steps to block further access by that third party, as well as enhancing its security and reaching out to affected users. It is believed 4.9 million consumers, "Dashers" and merchants who joined the service on or before April 5, 2018 are affected. Accounts created after that time not affected by the intrusion.
The user data includes profile information like names, email addresses, order history, phone numbers, and hashed and salted passwords. For some consumers, the last four digits of payment cards were included, with the last four digits of bank account numbers for Dashers and merchants, but DoorDash stresses the full financial details were not accessed. For approximately 100,000 Dashers, their driver's license number was also accessed.
As well as reaching out to affected users with specific information about what was accessed in their account, DoorDash encourages users to reset their password to one that is unique to the service, but adds it "does not believe" user passwords have been compromised. The company has also set up a dedicated call center for additional support.
"We deeply regret the frustration and inconvenience that this may cause you," writes the company. "Every member of the DoorDash community is important to us, and we want to assure you that we value your security and privacy."
In a blog post, DoorDash advises it was warned of unusual activity involving a "third-party service provider" earlier in September, prompting an investigation by security experts from outside the company. It was discovered an "unauthorized third party accessed some DoorDash user data on May 4, 2019."
The company has since taken steps to block further access by that third party, as well as enhancing its security and reaching out to affected users. It is believed 4.9 million consumers, "Dashers" and merchants who joined the service on or before April 5, 2018 are affected. Accounts created after that time not affected by the intrusion.
The user data includes profile information like names, email addresses, order history, phone numbers, and hashed and salted passwords. For some consumers, the last four digits of payment cards were included, with the last four digits of bank account numbers for Dashers and merchants, but DoorDash stresses the full financial details were not accessed. For approximately 100,000 Dashers, their driver's license number was also accessed.
As well as reaching out to affected users with specific information about what was accessed in their account, DoorDash encourages users to reset their password to one that is unique to the service, but adds it "does not believe" user passwords have been compromised. The company has also set up a dedicated call center for additional support.
"We deeply regret the frustration and inconvenience that this may cause you," writes the company. "Every member of the DoorDash community is important to us, and we want to assure you that we value your security and privacy."
Comments
Correct me if I’m wrong but weren't the TCP/IP and HTTP protocols originally developed by academics and designed to allow the free and open distribution of information? Only later, when the Internet took off, did people realize security was needed and all the security stuff was bolted onto the foundation. And here we are now with no one being safe on the “web”.
HTTP is just another layer on top of TCP/IP which is designed for distributed, client-server based data communication to support documents (hypertext) which can contain information from a number of different sources (hyperlinked). Again, privacy is up to you. Which is where HTTPS came in. It was created to wrap HTTP communications with data encryption.
But all of this doesn't really have anything to do with the data breach. What happened here is that their servers were hacked, plain and simple. Someone found a way to get unauthorized access to the data stored on their servers. There are a bunch of ways to do this, and it's akin to finding a way into someone's house. Maybe they forgot to lock one of their windows, maybe they left a key under the mat, etc. Same goes for server security. Blaming TCP/IP for the breach is like blaming the telephone system for a home break in.
I first tried this service a few months ago because it was the only food delivery service in the small town where I work.
The restaurant from which I ordered is five minutes away. The restaurant immediately began preparing the food when I submitted the order and it was ready for pickup within minutes. Using the app, I watched one driver accept the run only to cancel minutes later before another driver from almost 30 minutes away accepted it. The quesadillas were finally delivered to me by a smelly, middle-aged obese man wearing a tank top and too-short shorts driving a filthy SUV full of passengers including an unrestrained child in the front seat about an hour and fifteen minutes later.
I got a full refund and canceled my service. Thankfully, I joined and canceled in June.
I agree with you that there are valid reasons to avoid smart-locks on your home. I wouldn't have one either. Pushing FUD is unnecessary and beneath you. Your insurer is not going to deny a claim because your security was hacked.
1. A steady stream of orders to accept.
2. A small, economical vehicle - ideally, a scooter that gets 100+ MPG and costs very little to insure and has a luggage rack on the back.
3. Customers who tip far more than the minimum amount.
The most successful will drive for Uber and Lyft and DoorDash and Waitr so they're constantly on the go.
I see a lot of Waitr drivers when I'm in restaurants, but I rarely see the same ones twice. A lot of them think it's easy money then they realize they're lucky to break even and give up after a few weeks or months.
So integrating it as a payment method wouldn't have helped in this case.
Other hackers have been able to get complete credit card and banking information. Either they're much better than this lot, or DD had somewhat better security.
To that end, none of the bullet points leads me to believe Apple Pay shouldn't be implemented. Like failing hard drives, merchants getting hacked and customers getting identities stolen seems more and more likely a matter of when, not if.
People who run companies and corporations that aggregate and store our personal information need to have criminal culpability assigned or this will never stop. True, it can never be completely eliminated, but it can be much more secure and much less frequent than it is. And so it should be.
On the negative side, I don't think rotateleftbyte would win any writing awards for clarity, and I don't think gatorguy would win any awards for reading comprehension.
Gotcha. Thank you sir for pointing it out.
Still unless the insurer (or local laws?) has explicitly required you to have and maintain a working security system then AFAICT your insurer cannot deny a claim simply because your system failed. You weren't contractually obligated to have or use one.
Receiving an insurance discount for having one that subsequently doesn't work (or you forgot to arm, it happens) might muddy the wagers of course. Check with your insurance company.