DoorDash Data Breach exposes data of approximately 5 million users

DoorDash is a San Francisco–based on-demand food delivery service, the company confirmed it has suffered a data breach that exposed roughly 5 million users.

DoorDash announced a data breach that exposed the personal information of 4.9 million consumers, Dashers, and merchants.

According to the data breach notification sent to the impacted customers and the security note published on the website, the incident took place on May 4, 2019, when an unauthorized party was able to gain access to user information, Users and merchants who were registered on the platform after April 5, 2018, were not impacted.

“Earlier this month, we became aware of unusual activity involving a third-party service provider. We immediately launched an investigation and outside security experts were engaged to assess what occurred. We were subsequently able to determine that an unauthorized third party accessed some DoorDash user data on May 4, 2019.” reads the security notice published on the website. “Approximately 4.9 million consumers, Dashers, and merchants who joined our platform on or before April 5, 2018, are affected. Users who joined after April 5, 2018 are not affected.“

It is not clear how this data was accessed, but they mention that they noticed unusual activity with a third-party service. It is not known if this data was being hosted by a third-party service provider, if they were subject to a supply-chain attack from this service provider, or the unauthorized access originated from this provider.

Exposed data includes profile information, email addresses, delivery addresses, order history, phone numbers, and hashed and salted passwords. The company also confirmed that for some consumers, Dashers, and merchants, the last four digits of their credit cards or bank accounts were exposed.

“However, full credit card information such as full payment card numbers or a CVV was not accessed. The information accessed is not sufficient to make fraudulent charges on your payment card.” highlighted the company.

The incident also resulted in the exposure of roughly 100,000 driver’s license numbers associated the Dashers.

The company added that it doesn’t believe that user passwords have been compromised, but as precautationary measure recommends users to reset their passwords. Users can change their DoorDash password by visiting https://www.doordash.com/accounts/password/reset/.

At the time of writing it is not clear how data were accessed, the company only mentioned an unusual activity involving a third-party service provider. It is not clear if hackers breached the providers to access DoorDash systems or if DoorDash data was managed by this partner.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – DoorDash, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.