DoorDash doesn't just pick up your food orders, it delivers your data to hackers, too

Profile info on 5 million users, including ordering history, hashed passwords, plus driver records, exposed to miscreants

Gig-economy delivery app maker DoorDash is so, so sorry this Thursday after hackers gained access to nearly five million of its customer accounts.

The dial-a-serf service said that on May 4 of this year some miscreant was able to break into one of DoorDash's technology providers, and view account information including the physical addresses of punters, order histories, phone numbers, and hashed and salted passwords, plus the last four digits of some users' credit card numbers or bank accounts.

The mobile application basically works like this: if you want some food delivered from a restaurant, say, DoorDash will marry a driver to your order, so that they pick it up when it's ready, and drop it off to you. It's like Uber or Lyft but for takeout.

"Earlier this month, we became aware of unusual activity involving a third-party service provider," the DoorDash team said in its mea culpa.

"We immediately launched an investigation and outside security experts were engaged to assess what occurred. We were subsequently able to determine that an unauthorized third party accessed some DoorDash user data on May 4, 2019."

Additionally, DoorDash said the intruder was able to view 100,000 driver license numbers belonging to folks who deliver stuff via the software.

"Approximately 4.9 million consumers, Dashers, and merchants who joined our platform on or before April 5, 2018, are affected," DoorDash said in its disclosure. "Users who joined after April 5, 2018 are not affected."

The delivery service says it will reach out directly to notify those who were exposed. Here's a full list of what may have been accessed by the hackers, according to DoorDash:

Profile information including names, email addresses, delivery addresses, order history, phone numbers, as well as hashed, salted passwords — a form of rendering the actual password indecipherable to third parties.

For some consumers, the last four digits of consumer payment cards. However, full credit card information such as full payment card numbers or a CVV was not accessed. The information accessed is not sufficient to make fraudulent charges on your payment card.

For some Dashers and merchants, the last four digits of their bank account number. However, full bank account information was not accessed. The information accessed is not sufficient to make fraudulent withdrawals from your bank account.

For approximately 100,000 Dashers, their driver’s license numbers were also accessed.

Someone in an Uber ride

Uber, Lyft and DoorDash put $30m apiece into ballot battle fund to kill gig-economy employee benefits


So far, DoorDash says it does not believe any of the passwords have been cracked or any of the account numbers used to make fraudulent charges – DoorDash notes that the exposed info on its own would not be enough to make a charge on an account. However, it is still advising customers to change their account passwords and keep an eye on their bank statements.

If you reused the DoorDash password on another site or service, it would probably be wise to change that password as well (and, while you're at it, stop re-using passwords.)

"We took immediate steps to block further access by the unauthorized user and to enhance security across our platform," DoorDash told customers. "These steps include adding additional protective security layers around the data, improving security protocols that govern access to our systems, and bringing in outside expertise to increase our ability to identify and repel threats." ®

Similar topics

Other stories you might like

Biting the hand that feeds IT © 1998–2021