Food delivery service company DoorDash finally admitted to a data breach via a blog post last Thursday, September 26, 2019. The data breach is said to affect approximately 4.9 million individuals, including delivery people and partner establishments.
According to the blog post, the breach occurred last May 4, 2019. However, the company only detected unauthorized activity come September 2019. Following detection of hackers in the system, DoorDash reportedly acted on the incident immediately.
Internal investigations by the food delivery business revealed the unusual activity stemmed from a third-party service provider. Although spokesperson Mattie Magdovitz blames the third-party service provider, it failed to name the firm involved, reports Tech Crunch.
Magdovitz said they “immediately launched an investigation and outside security experts were engaged to assess what occurred.”
To stop hackers from further compromising data, the food delivery business moved to block hacker access. It also claims to have enhanced its security features, says CNN.
Compromised information includes data found on the user’s profile page. These include customer names, email addresses, delivery addresses, order histories, and passwords. Hackers mined passwords despite being hashed and salted by the company.
Based on the blog post released by DoorDash, other customers also had their credit card information compromised. Only the last four digits were obtained by hackers. Other merchants and users also experienced a breach in the last four digits of their bank account numbers.
Driver’s licenses of approximately 100,000 users have been accessed.
The company maintains individuals who signed up for their services after April 5, 2018, were not included in the breach.
Steps Taken by the Company to Address the Situation
Besides immediately halting hacker access, the company also added security features to prevent similar circumstances from happening again. These include adding security layers as well as hiring third-party consultants. The firm will also notify affected individuals.
Following the leak, DoorDash urged its users to change their passwords, including those who were not affected by the incident. Other individuals concerned about their privacy and personal information may reach out to the company. The hotline may be reached at 855-646-4683 24 hours a day, 7 days a week.
News of the incident comes only a year after customers complained about their DoorDash accounts being hacked. Tech Crunch reveals that DoorDash denies the breach which occurred in 2018. Instead, it blamed the incident on hackers running credential stuffing attacks to obtain essential information from consumers.