Data protection specialists report that DoorDash has become the victim of a data breach incident. Through a post on its official blog, the food delivery company reported that an unidentified group of hackers managed to extract about 4.8 million customers, employees and delivery histories records.
Among the millions of records exposed during
the incident are:
- Full
names - Phone
numbers - Email
address and delivery address - Delivery
history - Hashed
passwords
In addition, DoorDash mentions that the card
numbers of some customers, dealers and merchants were also extracted, although
these were not complete and the security numbers remain completely protected.
Company employees mentioned that the intrusion
occurred last May 4th, although they don’t add more details, so it’s still a
mystery how this incident went unnoticed for more than four months. The company
added that customers who started using this service after April 5 will not be
affected by the data theft.
Mattie Magdovitz, the company’s communications
manager, says the incident is the fault of one of the third-party service
providers: “We barely detected the incident, we just started
investigating; we are working with data protection experts to determine what
exactly happened,” the spokeswoman added. The name of the indicated
external company was not disclosed.
Unfortunately, this is not the first time
DoorDash has incurred data privacy scandals. Last year, multiple clients of the
company reported the hacking of their accounts; although DoorDash initially
denied a cybersecurity incident, the explanation they offered left affected
users unsatisfied.
According to data protection specialists from
the International Institute of Cyber Security (IICS) the incident that occurred
last year in DoorDash was a credential
stuffing attack, in which hackers use leaked passwords from others
online platforms to try to access other accounts, another example about how non
recommended it is to use the same password on different websites.