DoorDash Data Breach Impacts 4.9M Users – Experts Comments

DoorDash has confirmed a data breach impacting 4.9 million users including customers, delivery workers (Dashers) and merchants. The food delivery company said that the breach happened on May 4 and that customers who joined after April 5, 2019 are not affected. It’s still unclear why it took several months for DoorDash to publicly address the incident.

  • Users who joined the platform before April 5, 2018 had their name, email and delivery addresses, order history, phone numbers and hashed and salted passwords stolen.
  • Consumers had the last four digits of their payment cards taken, though full numbers and card verification values (CVV) were not taken.
  • Both delivery workers and merchants had the last four digits of their bank account numbers stolen.
  • Around 100,000 delivery workers had their driver’s license information stolen.

EXPERTS COMMENTS
Dr. Muhammad Malik, Editor-in-Chief,  Information Security Buzz
October 01, 2019
Given the changing landscape of the threats and business processes, companies should keep on devising security strategies to minimize risk.
DoorDash spokesperson blamed the breach on "a third-party service provider", without disclosing the name of the provider. But before blaming the third-party service provider, DoorDash should security assess its internal process of sharing data with third-party service providers. In today's connected world, the security of the business partner is equally important as the company's own security. Giv ....
[Read More >>]
Vinay Sridhara, CTO,  Balbix
October 01, 2019
DoorDash must continuously monitor all assets across hundreds of attack vectors to detect vulnerabilities
Seven months ago, DoorDash announced $400 million in Series F funding and the company says the funding came at a $7.1 billion valuation. The company’s growth can be attributed to its reach of 3,300 cities across the U.S. and Canada, its selection of partners and DoorDash Drive which allows businesses to make their own deliveries within the DoorDash network. However, in a saturated food delivery ....
[Read More >>]
Stuart Reed, VP ,  Nominet
September 30, 2019
Data should be treated according to sensitivity.
The DoorDash data breach demonstrates how careful companies need to be when selecting partners and understanding the access rights and security posture they have. While DoorDash, for example, could have done all of the security due diligence for itself as a company, if its partners weren’t secure, then neither was DoorDash. Companies need to be more vigilant in understanding how secure their par ....
[Read More >>]
Rosemary O\'Neill, Director - Customer Delivery,  NuData Security
September 30, 2019
We must change the current equation of "breach = fraud" by changing how companies think about online identity verification.
Data in the wrong hands – especially personally identifiable information – can have a huge impact on customers. Personal information, combined with other user data from other breaches and social media, builds a complete profile. In the hands of fraudsters and criminal organisations, these valuable identity sets are usually sold to other cybercriminals and used for a myriad of criminal activiti ....
[Read More >>]
Richard Cassidy, Senior Director of Security Strategy ,  Exabeam
September 30, 2019
Not least the importance of truly understanding the nature of what you're protecting as a business and whom your protecting it from.
With this being the 2nd major breach reported by Door Dash in a relatively short time-frame, its clear that lessons haven't been learned. In any data breach scenario, the most critical element is communication. When customer personally identifiable information (PII) is believed to have been breached, or at risk as a result of a suspected breach, consumer and industry confidence can only be salvage ....
[Read More >>]
Jan van Vliet, VP and GM EMEA ,  Digital Guardian
September 30, 2019
Cyber security programs should ensure that emphasis is placed on the security of the data itself.
Organisations large and small all over the world have fallen victim to data privacy breaches and data loss – the impact of which could have been minimised, or prevented from happening in the first place. Cyber security programs should ensure that emphasis is placed on the security of the data itself – and not just on networks, servers and applications. Shifting the focus towards identifying, ....
[Read More >>]
Anurag Kahol, CTO ,  Bitglass
September 30, 2019
Malicious parties can use payment card information and personally identifiable information (PII) to make fraudulent purchases.
Unfortunately, customers, delivery workers, and merchants impacted by this DoorDash incident are now vulnerable to the sinister designs of hackers both now and in the future. Malicious parties can use payment card information and personally identifiable information (PII) to make fraudulent purchases, to make a sale on the dark web for a quick profit, and much more. Additionally, a staggering 59% o ....
[Read More >>]
Erich Kron, Security Awareness Advocate,  KnowBe4
September 30, 2019
Any time there is a lot of correlated data in a breach, the bad guys can use that against people.
This particular breach disclosed a significant amount of information, even though the passwords were hashed and salted. By using information from this breach, attackers could create a very convincing phishing email using your name, email address and phone number, along with the last four digits of the credit card and trick a person into believing it was legitimate. This is even worse for delivery ....
[Read More >>]
Paul Bischoff, Privacy Advocate,  Comparitech
September 30, 2019
A food delivery service, for example, might not excel at digital advertising. So it contracts that part of its business out to a third party.
The third-party provider did it" is becoming a common chorus among many companies whose data was breached or exposed. If you think you're only giving up information exclusively to one party when you sign up for any sort of account these days, you're very likely mistaken. Data sharing is common place, because not every company is equipped to secure, analyse, or exploit it. A food delivery service, ....
[Read More >>]
George Wrenn, Founder and CEO,  CyberSaint Security
September 30, 2019
Technology-driven businesses must become significantly more diligent in their assessment of third-party vendors.
Managing third-party vendors has become a leading concern for all businesses, especially technology companies. Many web-based organizations are leveraging cloud technologies from the beginning and that brings a host of assumptions regarding the vendor's security and opening themselves up to increased third-party risk. Technology-driven businesses must become significantly more diligent in their a ....
[Read More >>]
Ilia Kolochenko, CEO,  ImmuniWeb
September 29, 2019
Risks affiliated to insecure or careless third parties is an Achilles’ Heel of most modern companies and organizations.
It would be premature to make any conclusions about the origins of the breach prior to a detailed technical investigation assisted by law enforcement agencies. A breach or data theft by a trusted third party, such as supplier or data analytics company, are nonetheless quite possible. Risks affiliated to insecure or careless third parties is an Achilles’ Heel of most modern companies and organiza ....
[Read More >>]
Dr Guy Bunker, CTO,  Clearswift
September 27, 2019
For external contractors who have access to internal systems and data, one must again consider who will revoke access and when?
For the individual, there is always a challenge with protection against third-party data breaches, particularly when the company needs to have a significant chunk of your personal information in order to deliver their service. In this case, everyone in the supply chain was impacted. For consumers, all too often deciding whether or not to use a service is based on price or convenience – and certa ....
[Read More >>]
Erich Kron, Security Awareness Advocate,  KnowBe4
September 27, 2019
The fact that this data has been available for so long before people were notified is unfortunate.
This particular breach disclosed a significant amount of information, even though the passwords were hashed and salted. By using information from this breach, attackers could create a very convincing phishing email using your name, email address and phone number, along with the last four digits of the credit card and trick a person into believing it was legitimate. This is even worse for delivery ....
[Read More >>]
Rob Gurzeev, CEO and Co-Founder,  CyCognito
September 27, 2019
Organizations need to expose those shadow risk by mapping and assessing their full attack surface.
Unfortunately, this kind IT ecosystem risk isn't unique to DoorDash. In fact, IT and security teams often don't even know if and where all of their organization’s digital infrastructure and assets are, or whether they’re fully protected. This ‘awareness gap’ is called shadow risk, and it’s a major problem. Organizations need to expose those shadow risk by mapping and assessing their ful ....
[Read More >>]
Kevin Gosschalk, CEO,  Arkose Labs
September 27, 2019
As long as there is money to be made in the world of cybercrime, fraudsters will continue to find a way to breach credentials.
Companies have spent millions of dollars trying to collect user data that can help them predict behavior, but fraudsters are acquiring this lucrative user data rather easily – one breach at a time. With each data breach, cybercriminals can build a complete profile of user identity and use those insights to create new inauthentic profiles which will be used for further malicious activity. This ha ....
[Read More >>]
Peter Goldstein, CTO and Co-founder,  Valimail
September 27, 2019
Email security solutions that focus on authenticating sender identity are critical to fostering an atmosphere of trust with email communication.
DoorDash’s data breach — which exposed names, email addresses, delivery addresses, order history, phone numbers, and hashed passwords — puts close to 5 million people at an increased risk for phishing attacks and other fraudulent activity. Cybercriminals can use this kind of data, in combination with effective and widely used email impersonation techniques, to send people especially convinci ....
[Read More >>]
Robert Prigge, CEO,  Jumio
September 27, 2019
Doordash’s breach highlights why online accounts need to be protected with much stronger forms of authentication.
In today’s digital-first economy, consumers are accustomed to having everything – even their favorite foods – available with a touch of a button. The emergence of the sharing economy creates a whole new level of convenience for consumers but does not come without risks. Because the service provider is facilitating an in-person meeting between two individuals, it’s imperative that the organ ....
[Read More >>]
Colin Bastable, CEO ,  Lucy Security
September 27, 2019
In the race to grab market share, businesses like DoorDash place security too far down the list.
Doordash does more than take a bite out of your food... Once again, third party risk exposes consumers’ data to the Dark Web. Just because the passwords are hashed and salted does not mean that this was an innocuous hack. 4.9 million consumers names, email addresses, phone numbers, addresses are available to be exploited multiple times over the next few years. In the race to grab market share, ....
[Read More >>]
Stephan Chenette , Co-Founder and CTO,  AttackIQ
September 27, 2019
Cybercriminals are continuously looking for gaps in security defenses and overlooked basic security misconfigurations, to turn a quick profit.
Almost exactly a year ago DoorDash customers’ notified the company their accounts were hacked in an apparent data breach. Now, DoorDash is facing yet another security issue affecting 4.9 million customers, workers and merchants. Breached information includes names, hashed and salted passwords, payment card information, among other personally identifiable information. Furthermore, delivery worker ....
[Read More >>]
Chris DeRamus , Co-founder & CTO,  DivvyCloud
September 27, 2019
Only 100% consistency in implementing best practices, policies and tools can ensure protection against a breach.
Since its founding in 2013, DoorDash has quickly become the biggest on-demand food delivery app in the U.S. and is the first of its kind to provide availability in all 50 states. 2019 is already on track to become the worst year for data breaches yet. In today's digital era and with the rise of the gig economy, reliance on cloud and container infrastructure is a critical part of the workforce. Co ....
[Read More >>]

If you are an expert on this topic:

Dot Your Expert Comments

SUBSCRIBE to alert when new comments are posted on this news. :




In this article