Food-delivery service DoorDash has experienced a massive data breach. According to an alert from the company website, the breach occurred in May 2019 and was discovered earlier this month by the IT professionals in charge of the company network. What tipped them off was suspicious activity that eventually led to an unknown third-party accessing sensitive data. The threat actor was able to be ejected from the system, but not without compromising millions of accounts.
The post-exploitation measures taken were, according to DoorDash, “adding additional protective security layers around the data, improving security protocols that govern access to our systems, and bringing in outside expertise to increase our ability to identify and repel threats.” Additionally, the company reset passwords of affected users and sent out notification emails about the breach.
In terms of the data accessed, DoorDash states that roughly 4.9 million user accounts, employee accounts, and also merchant accounts were affected. More specifically, the accounts affected were all created on or before April 5, 2018. Accounts created after that date are not affected, DoorDash says. There is a veritable treasure trove of information in these accounts and those who are in the time-frame of the breach should be diligent about suspicious activity.
DoorDash states in the alert that the following types of data were accessed in the breach:
Profile information including names, email addresses, delivery addresses, order history, phone numbers, as well as hashed, salted passwords… the last four digits of consumer payment cards… the last four digits of their bank account number… For approximately 100,000 Dashers, their driver’s license numbers were also accessed.
With DoorDash being one of the most popular third-party delivery services out there, this is a PR nightmare for the company. The results of the investigation will not be released to the public, but it is safe to say that network security was not nearly what it should have been for a company of this size. As long as large companies fail to enforce the highest security measures and practices, these types of breaches will continue to occur.
Featured image: Marco Verch / Trending Topics 2019