4.9 Million DoorDash Users Affected by Third-Party Data Breach

All posts

Food delivery company DoorDash announced that information belonging to customers, delivery workers, and merchants was stolen by hackers late last week. The breach affected 4.9 million individuals in all.

The breach occurred on May 4, according to a company statement, but customers who joined after April 5, 2018, are not affected. No explanation was provided as to why the breach was detected five months after the fact, nor did the company explain how the affected accounts were breached.

Through a spokesperson, DoorDash blamed the breach on a third-party service provider but declined to identify the third party by name. It also asserted that it “immediately launched an investigation and outside security experts were engaged to assess what occurred.”

What happened?

Users who joined the platform before April 5, 2018, had their name, email, delivery addresses, order history, phone numbers, and hashed and salted passwords stolen. Hashed and salted refers to a form of rendering that makes the actual password indecipherable to third parties.

The company also said consumers had the last four digits of their payment credit cards taken, though full numbers and card verification values (CVV) were untouched. Both delivery workers and merchants had the last four digits of their bank account numbers stolen, and about 100,000 delivery workers also had their driver’s license information stolen. None of the stolen information was sufficient for making fraudulent charges.

Repeat Offender

The breach comes almost a year after DoorDash customers complained that their accounts had been hacked. At that time, the company denied a data breach.

Instead the company claimed hackers were performing something called credential stuffing, in which hackers take lists of stolen usernames and passwords and try them on other sites. Such a scheme was eventually ruled out.

The DoorDash Response

To its credit, DoorDash took immediate steps to limit the damage, enhance security across its platform, and communicate with consumers. The company blocked further access by the unauthorized user and added additional protective security layers around the data. It also improved security protocols that govern access to its systems and brought in outside experts to help identify and repel threats. 

The company says it is in the process of notifying those affected as quickly as possible. It also suggested customers change passwords as a recommended security practice, though passwords were not part of the breach.

A Hard Lesson Learned

Each of DoorDash’s response measures are recommended steps for responding to a data breach. Still, it could have avoided the situation altogether by putting the right technology in place ahead of time. Like any company that handles sensitive information, it’s critical DoorDash uses comprehensive risk-mitigation technology to keep tabs on the activities of all its third party vendors. LogicGate’s Third Party Risk Management software helps companies verify third-party access and ensure that every stakeholder follows proper procedures. Timely and accurate certifications and attestations are small but effective steps to ensure appropriate parties follow the right protocols every time.


For more on Third Party Risk Management, check out LogicGate's Third Party Risk eBook: Driving Cross-Functional Alignment Across the Vendor Lifecycle.

Download eBook



All posts

Related Posts

View all posts