Another data security disaster for 'food delivery on demand' startup DoorDash, and it's not their first. The company confirms a data breach, and says sensitive information belonging to 4.9 million individual customers, delivery workers, and merchants — all stolen by hackers.
In a blog post, DoorDash said the breach happened May 4, which is nearly 5 months ago. It didn't explain the gap. DoorDash said any users who signed up after April 5, 2018 were unaffected by the breach.
DoorDash spokesperson Mattie Magdovitz blamed the breach on "a third-party service provider," but the third-party was not named. "We immediately launched an investigation and outside security experts were engaged to assess what occurred," she said.
Users who joined the platform before April 5, 2018 had their name, email and delivery addresses, order history, phone numbers and hashed and salted passwords stolen.
The company also said consumers had the last four digits of their payment cards taken, though full numbers and card verification values (CVV) were not taken. Both delivery workers and merchants had the last four digits of their bank account numbers stolen. Around 100,000 delivery workers also had their driver's license information stolen in the breach.
The news comes almost exactly a year after DoorDash customers complained that their accounts had been hacked. The company at the time denied a data breach and claimed attackers were running credential stuffing attacks, in which hackers take lists of stolen usernames and passwords and try them on other sites that use the same passwords. But many of the customers we spoke to said their passwords were unique to DoorDash, ruling out such an attack.
Read the full story: DoorDash confirms data breach affected 4.9 million customers, workers and merchants
[techcrunch.com, Zack Whittaker – image: shutterstock]