DoorDash Says 4.9 Million Records Breached'Unusual Activity' By Third-Party Service Provider to Blame
Food delivery startup DoorDash says 4.9 million customer, contactor and merchant records were breached after “unusual activity” by a third-party service provider.
The company says it became aware of an issue earlier this month and launched an investigation with outside security experts. It did not identity the service provider.
“We were subsequently able to determine that an unauthorized third party accessed some DoorDash user data on May 4, 2019,” it says in a blog post on Thursday. “We took immediate steps to block further access by the unauthorized third party and to enhance security across our platform. We are reaching out directly to affected users.”
The breach affects those who signed up for DoorDash before April 5, 2018. The leaked data includes profile information, which would include names, email addresses, delivery addresses, order histories, phone numbers and hashed and salted passwords.
Some consumers had the last four digits of their payment cards leaked, but the full payment card number and CVV was not exposed. “The information accessed is not sufficient to make fraudulent charges on your payment card,” DoorDash says.
For some of its delivery contractors – which it calls Dashers – and merchants, the last four digits of their bank account number was exposed. Also, the driver’s license numbers for 100,000 Dashers was exposed.
“We deeply regret the frustration and inconvenience that this may cause you,” DoorDash says.
A DoorDash spokeswoman says the company can’t provide further detail beyond the blog post for security reasons, but the company has notified law enforcement and regulators.
Change Your Password
Since the breach, DoorDash says it has added “protective security layers” around its data, improved its security protocols for access and brought in outside consultants.
The leaked passwords were hashed and salted, which somewhat reduces the overall risk that a password will be discovered and used to try to log into another service. That technique is often referred to as credential stuffing (see: Fighting Credential Stuffing Attacks).
Hashing is the process of taking a plain-text password and running it through a one-way algorithm to create a mathematical representation, which is stored by a service provider. Salt is an additional security measure that involves adding random data, making the hash more resistant to brute force attacks or the use of rainbow tables.
DoorDash didn’t specify what hashing algorithm it uses. A spokeswoman says “third-party analysis has confirmed the strength of the hashed, salted passwords is compliant with industry leading standards, including the NIST [National Institute of Standards and Technology] digital identity guidelines.”
Many organizations these days opt for the bcrypt algorithm, which is more resistant to cracking attempts. That’s because generating random bcrypt hashes based on possible passwords is slower using bcrypt than other hashing algorithms, such as SHA-1.
DoorDash says it doesn’t believe the leaked hashes will result in password compromises, but it nonetheless is recommending that those affected change their passwords.
Attackers collect lists of breached usernames and passwords in hope of catching out someone who has reused a password on another online service. Security experts recommended that unique passwords be used for every online service.
Although it’s unclear why the data was taken, several experts say DoorDash would be an attractive target due to the level of detail it collects – such as food allergies - and users' locations.
If I put my nation-state hat on, I can think of all kinds of useful info to get from food delivery services— Jackie (@find_evil) September 26, 2019
- Meal preferences
- Physical locations delivered to
- Food delivery patterns (incl # of diners)
- Info about severe allergies (!)
- Other data harvested from user’s phone
Jake Williams, founder of Rendition Infosec in Atlanta and a former National Security Agency analyst, writes on Twitter that he doubts there was a nation-state behind DoorDash. But he says “for some people, food order history is probably extremely sensitive.”
To be clear, I don't think the DoorDash hack was an intelligence operation. But I'll bet you the money in my pocket you could unearth some REALLY interesting information (affairs, cover site locations, etc) with order history and delivery addresses.https://t.co/tlq4Mj9pmd pic.twitter.com/ocXJI0l4hO— Jake Williams (@MalwareJake) September 26, 2019