Popular food delivery start-up, DoorDash, is once again in hot water after a hacker has gained access to its database and compromised the data of more than four million of the company’s customers, workers, and merchant partners. The company confirmed that the hacking occurred earlier this year and assured their users and partners that they had taken necessary actions to mitigate the effects of the data breach.
“We take the security of our community very seriously. Earlier this month, we became aware of unusual activity involving a third-party service provider. We immediately launched an investigation and outside security experts were engaged to assess what occurred,” reads a blog post published on the company’s website.
DoorDash said that unauthorized access had been gained by an unnamed threat actor on May 4, 2019, and had access “some DoorDash user data.” The company said that all user data that were generated until May 4 had been compromised including approximately 4.9 million of their customer, Dashers, and merchants who joined the platform on or before April 5, 2018.
The company assured that those who joined DoorDash after April 5 was not affected by the data breach.
What types of data are compromised?
The data breach has compromised data of millions of its users, delivery employees, and merchant partners, and each has different data pools. The delivery start-up said that for their customers, the hacker was able to gain access to their profile information, including names, email addresses, delivery addresses, order history, phone numbers. Furthermore, the hacker was also able to get a copy of their users’ salted passwords, which is an encrypted copy which makes the passwords “indecipherable to third parties.”
Moreover, there are some DoorDash customers who had their credit card information leaked. Specifically, the hacker was able to gain access to the last four digits of their credit card numbers. However, DoorDash clarifies that full credit card numbers and its respective CVV code was not disclosed to the threat actor.
“Full credit card information such as full payment card numbers or a CVV was not accessed. The information accessed is not sufficient to make fraudulent charges on your payment card,” reads the blog post.
DoorDash added that for their partner merchants and their dashers, the hacker was able to access the last four digits of their bank account numbers. Similarly, the company assured that full bank account numbers were not accessed and the accessed information by the hacker is also insufficient for him to make fraudulent bank withdrawals using the accounts.
Aside from the last four digits of their bank account numbers, the hacker also got a copy of the driver’s license numbers of approximately 100,000 dashers.
The company assured its customers and their partners that they had taken steps to protect their data moving forward. DoorDash has improved its security protocol, making it harder for a third-party to access their data. The start-up also brought in the expertise of external cybersecurity experts to increase its ability to identify and repel threats.
“We have taken a number of additional steps to secure further your data, which include adding additional protective security layers around the data, improving security protocols that govern access to our systems, and bringing in outside expertise to increase our ability to identify and repel threats,” DoorDash told its customers and partners.
The food delivery company said that while they believe that the passwords of their customers were compromised by the data breach, they are still encouraging them to immediately reset their passwords and change them to increase the security in their accounts. DoorDash said that they have individually reached out to affected users with specific information about what was accessed and a step-by-step guide of what to do if their data was compromised.