DoorDash reveals third-party data breach hit 4.9 million users

Food delivery firm comes under heavy criticism on Twitter for its response to the latest hack

DoorDash sign

DoorDash has revealed that an unauthorised third party accessed the data of approximately 4.9 million of its customers, drivers and merchants earlier in this year.

The information taken included the last four digits of payment cards from both customers and the companies that use DoorDash for delivery.

The San Francisco-based food delivery firm revealed the breach in a blog post confirming it affected members who joined on or before 5 April 2018.

Since forming in 2013, DoorDash has built a huge network of restaurants and drivers to provide food delivery in more than 600 cities. According to its blog, it became aware of "unusual activity" involving a third-party service provider earlier September.

"We immediately launched an investigation and outside security experts were engaged to assess what occurred," the company wrote. "We were subsequently able to determine that an unauthorized third party accessed some DoorDash user data on May 4, 2019. We took immediate steps to block further access by the unauthorised user and to enhance security across our platform. We are reaching out directly to affected users."

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

These affected users will be told that their names, email addresses, home addresses, phone numbers, order history, passwords and bank details could have been accessed. The company stressed that only the last four digits of their bank accounts were accessed and that CVV numbers were not.

The breach comes just over a year since DoorDash customers first took to Twitter to complain that their accounts had been hacked. At the time, the company told TechCrunch that no data had been breached, despite the volume of tweets saying otherwise.

What's more, tweets of hacked accounts dogged the company through most of 2018, with many users complaining about its customer service systems.

French teacher and customer @mme_henderson tweeted: "DoorDash Someone has hacked my account and had several meals at my expense. Customer service is non-responsive. Unacceptable!"

As the details of May's breach were released, many more took to Twitter to vent their frustrations with some calling the companies response "generic".

Advertisement - Article continues below

"DoorDash Just got your email about a data breach! Location data, credit card info, timestamps, etc released? This is really not good. A generic apology isn't sufficient. How about an account credit? #hacked," posted @RooibosandRose.

IT Pro has contacted DoorDash for further details about how the data was accessed.

"It would be premature to make any conclusions about the origins of the breach prior to a detailed technical investigation assisted by law enforcement agencies," Ilia Kolochenko, founder and CEO of web security company ImmuniWeb. "Breach or data theft by a trusted third party, such as supplier or data analytics company, is nonetheless quite possible.

"Risks affiliated to insecure or careless third parties is an Achilles heel of most modern companies and organisations. The problem is that monitoring and proper enforcement of third party cyber security are exorbitantly expensive and most companies, including the largest ones, simply cannot afford it."

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Most Popular

Visit/business-strategy/public-sector/354608/uk-gov-launches-ps300000-sen-edtech-initiative
public sector

UK gov launches £300,000 SEN EdTech initiative

22 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/business-strategy/mergers-and-acquisitions/354602/xerox-to-nominate-directors-to-hps-board-reports
mergers and acquisitions

Xerox to nominate directors to HP's board – reports

22 Jan 2020
Visit/network-internet/web-browser/354614/microsoft-developer-declares-its-time-to-ditch-ie-for-edge
web browser

Microsoft developer declares it's time to ditch IE for Edge

23 Jan 2020