DoorDash Data Breach Impacts Personal Data of Almost 5M Users

Accessed information includes delivery addresses, license numbers, names, phone numbers and more.

Food delivery service DoorDash disclosed a data breach that affects almost 5 million customers, drivers and merchants using its platform.

DoorDash, an on-demand food delivery service, connects end users with local restaurants and relies on contracted drivers who use their own vehicles for delivery, also known as “Dashers.” The company said on Thursday that users who joined its app-based service on or before April 5, 2018 are impacted – totaling 4.9 million consumers, restaurants who operated through the service, and “Dashers.”

A variety of personal data was accessed including names, email addresses, delivery addresses, phone numbers and hashed passwords. Also accessed was payment information including the last four digits of payment cards and driver’s license numbers for thousands of “Dashers.”

Some consumers’ payment card data was also impacted, including the last four digits of credit cards and of bank account numbers. However, DoorDash stressed that full credit card information and full bank account information was not accessed.

Finally, the driver’s license numbers of around 100,000 “Dashers” were accessed.

“Earlier this month, we became aware of unusual activity involving a third-party service provider,” the company said in a statement. “We immediately launched an investigation and outside security experts were engaged to assess what occurred… We took immediate steps to block further access by the unauthorized user and to enhance security across our platform. We are reaching out directly to affected users.”

The company said that in September, it discovered an unauthorized third party accessed some DoorDash user data on May 4, 2019. DoorDash did not specify the source of the breach, but did say that it involved a “third-party service provider.”

The company said it is in the process of notifying those affected “as quickly as possible and will continue to reach out over the coming days” – however, in the meantime it also encourages users to reset their passwords to one unique to DoorDash.

Moving forward, DoorDash said that it will take future steps to improve the security of its platform. “These steps include adding additional protective security layers around the data, improving security protocols that govern access to our systems, and bringing in outside expertise to increase our ability to identify and repel threats.”

What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.

Suggested articles