DoorDash Data Breach exposes data of approximately 5 million users

DoorDash is a San Francisco–based on-demand food delivery service, the company confirmed it has suffered a data breach that exposed roughly 5 million users.

DoorDash announced a data breach that exposed the personal information of 4.9 million consumers, Dashers, and merchants.

According to the data breach notification sent to the impacted customers and the security note published on the website, the incident took place on May 4, 2019, when an unauthorized party was able to gain access to user information, Users and merchants who were registered on the platform after April 5, 2018, were not impacted.

“Earlier this month, we became aware of unusual activity involving a third-party service provider. We immediately launched an investigation and outside security experts were engaged to assess what occurred. We were subsequently able to determine that an unauthorized third party accessed some DoorDash user data on May 4, 2019.” reads the security notice published on the website. “Approximately 4.9 million consumers, Dashers, and merchants who joined our platform on or before April 5, 2018, are affected. Users who joined after April 5, 2018 are not affected.“

It is not clear how this data was accessed, but they mention that they noticed unusual activity with a third-party service. It is not known if this data was being hosted by a third-party service provider, if they were subject to a supply-chain attack from this service provider, or the unauthorized access originated from this provider.

Exposed data includes profile information, email addresses, delivery addresses, order history, phone numbers, and hashed and salted passwords. The company also confirmed that for some consumers, Dashers, and merchants, the last four digits of their credit cards or bank accounts were exposed.

“However, full credit card information such as full payment card numbers or a CVV was not accessed. The information accessed is not sufficient to make fraudulent charges on your payment card.” highlighted the company.

The incident also resulted in the exposure of roughly 100,000 driver’s license numbers associated the Dashers.

The company added that it doesn’t believe that user passwords have been compromised, but as precautationary measure recommends users to reset their passwords. Users can change their DoorDash password by visiting https://www.doordash.com/accounts/password/reset/.

At the time of writing it is not clear how data were accessed, the company only mentioned an unusual activity involving a third-party service provider. It is not clear if hackers breached the providers to access DoorDash systems or if DoorDash data was managed by this partner.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – DoorDash, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]