The online food delivery service DoorDash has recently confessed to a data breach targeting millions. As revealed, the company suffered a cyberattack that allowed attackers access to its user base.
DoorDash Confessed Data Breach
The online delivery service DoorDash has confirmed a data breach affecting a huge number of users. DoorDash has disclosed the incident in a recent blog post.
Reportedly, the firm noticed unauthorized activity involving ‘a third-party service’. Scratching the surface revealed that the intrusion occuredon May 4, 2019. While the incident didn’t affect all the users, it still impacted around 4.9 million DoorDash users.
Regarding the breached information, DoorDash explained that it could include personal information stored with accounts as well as the email addresses, hashed & salted passwords. Moreover, it could also include the last four digits of payment cards in the case of some customers. Besides, for some ‘Dashers and merchants’, the breached data might also include the last four digits of the bank account number.
The firm reassured users that the financial data, at large, remained safe, including full payment card numbers, CVV, and full bank account data. Hence, the breached information is insufficient to make any fraudulent transactions.
In addition, the leaked data also included the drivers’ license numbers for some 100,000 Dashers.
Elaborating further, the company stated that the incident primarily affected some of the DoorDash users who joined on or before April 5, 2018. Whereas, for those who joined after this date, DoorDash deems them safe from the breach.
Second Cyber Attack After A Year
Upon discovering the incident, DoorDash quickly started investigations. Though, they claimed about the low-impact of the incident. It is still alarming from a cybersecurity point-of-view that the breach affected 4.9 million users.
Plus, it took around 5 months for the company to notice the incident and reveal it publicly. While it makes complete sense that investigating things like this takes time, it would have been less worrying if the firm had revealed about it earlier. Even with the recent disclosure, they haven’t mentioned any detail about how the incident occurred, what was that third-party service that affected the security of 4.9 million customers, and how they contained the attack.
Not to forget that DoorDash also suffered a cyberattack last year. That time too, DoorDash didn’t disclose anything before the customers started complaining about the fraudulent use of their accounts. Although then they blamed the incident on credential stuffing.
Let us know your thoughts in the comments.