DoorDash has announced a data breach where an unauthorized user was able to gain access to the personal information of 4.9 million consumers, Dashers, and merchants. Yes, hackers have infiltrated DoorDash, and the number of impacted people is staggering - almost 5 million. Apparently, not all customers were affected by the intrusion.
The breach occurred on 4 May 2019 and affected customers, drivers, and merchants who joined the DoorDash platform on or before 5 April 2018. This would seem to indicate that the hackers only gained access to a database used earlier in the company's history.
It took DoorDash five months to become aware of the unauthorised activity.
A DoorDash spokeswoman said the breach involves a third-party service provider, and that an investigation is ongoing. "Every member of the DoorDash community is important to us, and we want to assure you that we value your security and privacy", DoorDash wrote.
DoorDash assured users in an online post that it immediately blocked the intruder's cyber access and enhanced system security.
The thieves also stole hashed, salted passwords but says those password are indecipherable to third parties. Some consumers may have had the last four digits of their consumer payment cards accessed, however the full card number and CVVs were not accessed. DoorDash says that the full numbers and CVV codes were not taken. Perhaps most troublingly, the full driver's license numbers for approximately 100,000 DoorDash drivers were compromised in the breach.
Previous year some DoorDash customers complained that their accounts had been hacked. Back in September 2018 it claimed that reports from multiple users of their accounts being hacked were down to credential stuffing. It is unclear if the two attacks are somehow related.
"We are reaching out directly to affected users with specific information about what was accessed", the company said on their website. It does not believe that the passwords are readable, but suggests that users reset them just in case.