On September 26, 2019, popular meal delivery service, DoorDash, confirmed that they fell victim to a cyber security breach. According to Mattie Magdovitz, a spokesperson for DoorDash, the hackers were able to gather information on over 4.9 million customers, delivery workers, and merchants that had been signed up for the service. The breach is said to have occurred on May 4, 2019. However, any customers who downloaded the app and signed up for their service prior to April 5, 2018 were not affected by the breach.
In the aftermath of this breach, many users are left wondering why it took over five months for DoorDash to detect that their systems had been breached and personally identifiable information (PII) had been stolen and/or compromised.
According to Magdovitz, the breach was the result of DoorDash's use of "a third-party service provider," however there was no further information or identification given to the third-party responsible. Upon learning of the breach Magdovitz added, "We immediately launched an investigation and outside security experts were engaged to assess what occurred."
Those users who signed up to use DoorDash prior to April 5, 2018 had PII stolen such as their name, email, delivery address, order history, phone numbers, and salted and hashed passwords. "Salted and Hashed" passwords is a security technique that user-based services use to encrypt passwords as an added layer of security in the case of a security breach. It should be noted that there are free tools that will help decrypt salted and hashed passwords; anyone with a strong background in hacking may be able to crack the encryption as well.
It was detailed that the last four digits of these users' debit/credit cards were also stolen, however, the full card numbers and the card verification values (CVV) were not subjected to the breach. The merchants that work with DoorDash and the over 100,000 delivery drivers that they contract had the last four digits of their bank accounts stolen, according to Magdovitz.
Frighteningly enough, the news of this data breach comes almost exactly one year after DoorDash customers complained that their accounts were hacked and they had PII stolen from their accounts with the service provider. While DoorDash, at the time, denied any and all allegations of a data breach, they noted that bad actors were running "credential stuffing attacks." A "credential stuffing attack" is when a hacker uses lists of stolen usernames and passwords for one service, and tries them against many other websites and services to try and gain access from those who utilize the same username/password combination across multiple accounts.
DoorDash could not explain how the affected accounts were breached when asked about the allegations, one year ago.
For more information or a FREE, No Obligation Cyber Security Assessment of your company, please feel free to reach out to us via phone, email info@newitpartners.com, or filling out the form on the right side of the screen.
