DoorDash is a popular food delivery service – and very convenient if I say so myself. However, in the seemingly never-ending trend of cyber attacks, DoorDash, too, fell victim to a supply-chain attack. Earlier this month, DoorDash identified unusual activity via a third-party service. They immediately launched an investigation and have consulted with outside agencies.
Fret not, only community members who joined on or before April 5, 2018 were affected. Those who joined after April 5, 2018 are not affected. The total impacted accounts amount to 4.9M records. This includes users, Dashers (those who deliver on DoorDash’s behalf), as well as merchants.
Consumer data includes names, emails, addresses, along with order histories, phone numbers, and hashed and salted passwords. Some consumers’ last four credit card digits were harvested but DoorDash claims that, “…full credit card information such as full payment card numbers or a CVV was not accessed. The information accessed is not sufficient to make fraudulent charges on your payment card.”
Dashers and merchants had their bank account’s last four digits leaked, but the claim of insufficient abilities to make fraudulent charges stands as well. Approximately 100K Dashers had their driver’s license numbers accessed as well.
As for what DoorDash is doing, they’re reaching out to the affected parties and upping their security posture to prevent such future instances. Seeing the passwords were hashed and salted, they may be crackable so to error on the side of caution, DoorDash urges customers to change their password and make it unique to only DoorDash. I highly recommend this as well, as using a password manager and unique passwords for various accounts ensures a leaked password is useless for other accounts.