Food delivery service DoorDash confirmed a data breach affecting 4.9 million customers and merchants took place in May and included general PII and partial payment card information.
The company learned in early September that a third-party vendor had been accessed on May 4, 2019 and was able to gain access to information including names, email addresses, delivery addresses, order history, phone numbers and hashed, salted passwords. Additionally, the driver’s license numbers of at least 100,000 Dashers were accessed and the last four digits of some customer credit cards were also exposed, but not the full number or CVV, DoorDash said.
Newer customers were not impacted by the breach. DoorDash said consumers, “Dashers,” and merchants who joined on or before April 5, 2018, are affected, but those who joined after April 5, 2018 are not affected.
The company has obtained the services of a cybersecurity firm and has enhanced security across its platform. At this time DoorDash has not said what type of third-party vendor was involved nor how the information was obtained. It is suggesting that all those affected change their Door Dash passwords.
Colin Bastable, CEO of Lucy Security, said the fact that the passwords were hashed does not necessarily protect anyone.
“Once again, third-party risk exposes consumers’ data to the dark web. Just because the passwords are hashed and salted does not mean that this was an innocuous hack. 4.9 million consumer names, email addresses, phone numbers addresses are available to be exploited multiple times over the next few years.
Erich Kron, KnowBe4’s security awareness advocate, said the breadth of information exposed sets the stage for these people to be impacted by a variety of cybercrimmial actions further down the road.
“This particular breach disclosed a significant amount of information, even though the passwords were hashed and salted. By using information from this breach, attackers could create a very convincing phishing email using your name, email address and phone number, along with the last four digits of the credit card and trick a person into believing it was legitimate. This is even worse for delivery drivers who have had their drivers’ license number also compromised,” Kron said.