Food delivery company DoorDash has announced that it has been the victim of a data breach impacting 4.9 million accounts, the second major cybersecurity incident to hit the company.
The incident saw what DoorDash described as an “unauthorised third party” accessing the accounts of merchants and customers – but only those who had registered with DoorDash prior to 5 April 2018 – on 4 May 2019.
The breach included partial credit card information, email and delivery addresses, phone numbers, names and order histories. It also included hashed, salted passwords, meaning that the data thief is extremely unlikely to be able to access the plain text versions.
Around 100,000 delivery workers also saw their licence details stolen.
DoorDash data breach follows earlier cybersecurity incident
The data breach follows a disputed cybersecurity incident at DoorDash in September 2018, where customers claimed that their accounts had been hacked.
However, DoorDash rejected this claim at the time, and instead argued the issue related to reused passwords stolen in other breaches, which is known as a credential stuffing attack.
Nevertheless, many customers affected by the incident claimed to be using unique passwords on the delivery site, raising questions about DoorDash’s version of events.
For cybersecurity experts, this new data breach suggests DoorDash did not take the earlier incident seriously enough.
“With this being the second major breach reported by DoorDash in a relatively short time-frame, its clear that lessons haven’t been learned,” said Richard Cassidy, senior director of security strategy, Exabeam.
“In any data breach scenario, the most critical element is communication. When customer personally identifiable information (PII) is believed to have been breached, or at risk as a result of a suspected breach, consumer and industry confidence can only be salvaged through transparency.”
The fallout from the DoorDash data breach
For those impacted, the breach not only means that their personal data is currently at risk, but that they could be at greater risk in the future.
“Unfortunately, customers, delivery workers, and merchants impacted by this DoorDash incident are now vulnerable to the sinister designs of hackers both now and in the future,” said Anurag Kahol, CTO at Bitglass.
“Malicious parties can use payment card information and personally identifiable information (PII) to make fraudulent purchases, to make a sale on the dark web for a quick profit, and much more.
“Additionally, a staggering 59% of consumers reuse passwords across multiple accounts. This means that if a cybercriminal appropriates a single password, then they can potentially gain access to a user’s accounts across a number of services wherein said password is reused.”
Preventing future breaches
For DoorDash and others looking to sure up their cybersecurity in the wake of the data breach, the advice is to reconsider how personal data is stored – not just ensure it is well-guarded.
“Organisations large and small all over the world have fallen victim to data privacy breaches and data loss – the impact of which could have been minimised, or prevented from happening in the first place,” said Jan van Vliet, vice president and general manager EMEA at Digital Guardian
“Cybersecurity programs should ensure that emphasis is placed on the security of the data itself – and not just on networks, servers and applications. Shifting the focus towards identifying, controlling and securing sensitive data assets may not prevent a cyber breach, but it will minimise data loss – and hopefully the need to admit you should have known better.”