Change Your DoorDash Password Now Because a Major Data Breach Has Been Discovered

Food delivery network DoorDash announced yesterday that it had suffered a data breach. Those of you who stay up-to-date with cybersecurity news probably aren't especially surprised by the fact that yet another online service has been hacked. The fact that these incidents have become an everyday occurrence doesn't mean, however, that they should be underestimated. It's always important to analyze them and determine what sort of data was leaked and how the whole thing is presented to the user. Here's what DoorDash customers need to know.

A glitch at a third-party service provider exposed DoorDash data

Apparently, in addition to the blog post, DoorDash has also sent out some email notifications, which, according to Gizmodo, are pretty much identical. The notice says that earlier this month, DoorDash's security team noticed some unusual activity at a third-party service provider. After a brief investigation, they learned that on May 4, 2019, a hacker accessed a database containing personal information of customers, Dashers (the delivery drivers and riders working for the platform), and merchants.

DoorDash says that about 4.9 million people have been affected, and it quickly points out that all the records in the breached database were created before April 5, 2018. In other words, people and organizations who got on the platform after April 5, 2018, are not affected in any way.

The leaked data includes names, email and delivery addresses, phone numbers, order history, and hashed and salted passwords. DoorDash didn't say which hashing algorithm it used, but it stated that the actual password is "indecipherable to third parties".

The last four digits of some people's credit card numbers and the last four symbols of some Dashers' and merchants' bank accounts were also exposed, though DoorDash quickly pointed out that this sort of information shouldn't be enough to facilitate any sort of financial fraud. 100,000 Dashers should be more careful, however, because their driver's license numbers were leaked.

“Concerned” users are advised to change their passwords and be more vigilant

Obviously, DoorDash's security people blocked access to the leaked database, and according to the blog post, they have taken additional steps to "enhance security" across the entire platform. Although the platform hashes and salts the login credentials before storing them, users were told that for the sake of peace of mind, they should think about changing their passwords.

To do that on a desktop device, go to https://www.doordash.com/accounts/password/reset/, enter your email address in the field, and wait for a message with a password reset link. DoorDash customers who use the mobile application can tap the Forgot Password link which will redirect them to the page linked above.

Although the company states that no full credit card details or bank account information has been leaked, DoorDash still advises its users to be a bit more vigilant than usual. The whole notice is trying to convince you that there's not a whole lot to be worried about. There are a few unanswered questions, though.

DoorDash leaves out some details

As we mentioned already, DoorDash is adamant that the breach occurred at a third party. What the food delivery platform doesn't say, however, is what the name of this third party is. We also don't know how it all happened. Was it a mistake on behalf of the nameless third party? Or did DoorDash's administrators misconfigure a database and left it exposed to the internet like so many other companies? These are all fairly serious questions, and they become even more pressing when you see what some people think about DoorDash's cybersecurity record.

Almost exactly a year ago, users of the food delivery platform suddenly started reporting numerous instances of hacked accounts and unauthorized orders and charges. Back then, a DoorDash spokesperson told told TechCrunch that the complaining users had been targeted by a credential stuffing attack.

Consumers weren't convinced, though. In fact, there is a Twitter account and a Reddit subreddit dedicated to people who have had their DoorDash accounts hacked. The people running it seem to think that DoorDash got hacked back in June 2018.

Obviously, this information hasn't been officially confirmed, which means that it's difficult to say how trustworthy it is. It is difficult to ignore it, however, especially in the aftermath of a confirmed data breach.