4.9 Million DoorDash Users Get Heartburn After Massive Data Breach
By: Jim Stickley and Tina Davis
October 3, 2019
The popular online food delivery service recently announced a data breach affecting 4.9 million of its customers. DoorDash, a $4 billion company released a public notice about the breach five months after it happened. The breach affects all users who signed up for the food delivery service before April 5, 2018, with DoorDash claiming those who created accounts after that date were not affected. The company blames the breach on a third-party service provider it currently chooses not to identify. Millions of DoorDash customers are left with a bad taste in their mouth knowing their personal data has been exposed, regardless of who is at fault.
According to DoorDash, the menu of stolen customer data includes names, addresses, order history, and last four digits of payment cards and bank account numbers. The breach also includes the complete driver license information of approximately 100,000 delivery “Dashers.” It’s not clear why the company waited five months to publicly announce the breach in a blog post.
DoorDash believes the data breach occurred on May 4 of this year. However, one year ago, many customers complained to the company that their accounts were hacked. At that time, DoorDash pointed their finger of blame on “credential stuffing,” refusing to accept responsibility for the hacks. Credential stuffing involves those who reuse the same account login information for other accounts. Hackers take those stolen account usernames and passwords and use them to successfully gain access to other accounts. Credential stuffing attacks should be an alarm bell to us all about the importance of having unique login information for each and every online account.
Although DoorDash claims they are now acting to thwart future attacks, the responsibility for safe online transactions once again falls on individual users. The first step is using separate and unique usernames and strong passwords for every account. Make sure all passwords include upper and lowercase letters, one number or more, and one special character or more. Other action for online safety includes keeping close tabs on payment card charges. Monitor accounts regularly and immediately report any unusual or suspicious charges. Also consider credit freeze options to protect compromised accounts from future abuse. It’s no secret that many businesses, including DoorDash don’t boost security efforts until after a data breach or hack occurs. That means until all vendors provide adequate security for their customers, the responsibility for avoiding data theft falls on consumers.