Blog

DoorDash – a San Francisco based food delivery service that connects people with their local restaurants and gets food delivered at their doorsteps has disclosed that the personal data of 4.9 million users is compromised. It includes personal information like names, delivery addresses, email addresses, phone numbers, order history, etc. Dozens of customers have complained DoorDash about the hack but they initially refused it. DoorDash was reported to be a $4 billion company that has raised $250 million last year and serves more than 1,000 cities across the U.S and Canada. This breach raises questions if DoorDash has acquired reliable security testing services for their business or not.

The hackers gained access to sensitive customer information 

The food delivery company has accepted that the hack compromised its customers, delivery workers, and merchants’ personal information. Hackers managed to gain access to the last four digits of consumer payment cards and the last four digits of bank accounts in some cases (although the company claims the full account numbers were not exposed). It has also been reported that the driver’s license information of around 100,000 delivery workers was also stolen. 

DoorDash accuses ‘third-party service provider’ responsible for the breach

DoorDash is notifying its customers about the breach that occurred in May, yet how the hackers accessed data is still unclear. It is still ambiguous for customers if DoorDash has taken some serious actions or hired security testing experts to address this issue.  Although the startup said they had become aware of an unusual activity involving a ‘third-party service provider’. They also mentioned that this hack could be due to an API abuse, i.e. when the API security allows too much access to applications. 

Users who joined the app after April 2018 have not been affected 

Traditionally, when a breach occurs it should be reported to GDPR and CPAA within 72 hours. However, DoorDash has discovered the hack within the last month, so there is a long way to identify, notify and overcome these kinds of security hacks. The company has also added that the data of users who joined the app after April 5, 2018, has not been compromised. 

DoorDash has ignored similar complaints that came-in a year ago 

A similar issue was raised by its customers almost a year ago that their accounts had been breached. DoorDash denied it completely and claimed that the attackers were running credential stuffing attacks. In this breach, the hackers take lists of stolen usernames and passwords from other sites and use the app to gain access to their respective accounts. Most of the customers claimed that they had unique passwords for DoorDash, Read more(How to create an app like DoorDash), refusing such an attack ever occurred. It is more likely that DoorDash didn’t focus on security testing when the issue was first reported.

What’s next?

Customers are still concerned about the security of their personal information and credentials being at stake. They are still waiting for DoorDash to highlight what actions and measures they have taken to avoid such breaches in the future!