It’s that time to change your passwords again.
Popular on-demand food delivery platform DoorDash has confirmed a data breach affecting 4.9 million customers, workers, and merchants.
The data was accessed by an unnamed third-party service provider on May 4, including profile information such as names, emails, delivery addresses, phone numbers, hashed and salted passwords, as well as the driver’s license numbers of nearly 100,000 delivery executives.
The leak is also said to have exposed the last four digits of payment cards for some consumers and the last four digits of the bank account numbers for some delivery executives and restaurants.
DoorDash, a gig economy giant founded in 2013, connects customers with local restaurants, and relies on independent contractors who use their own vehicles for door-to-door delivery, also known as “Dashers.” It operates in over 4,000 cities across the US and Canada.
The San Francisco-based startup said it was alerted to the breach earlier this month after it noticed unusual activity involving said third-party service provider.
Users who joined the platform after April 5, 2018 were not affected. However, the company recommends changing your password regardless of when you signed up, “out of an abundance of caution.”
It’s not immediately clear how this data came to be accessed in an unauthorized manner, or if this data was being hosted by the third-party service provider, and if they were a victim of a supply chain attack via the third-party.
It also leaves the door open for a possibility that hackers may have had access to this data since May until it was blocked at the start of this month.
In response, the company said it added a number of additional security layers to protect user data, and has improved the security protocols that allow access to its systems. The company is also in the process of reaching out to individual users affected by the breach.
DoorDash, along with Grubhub, Postmates, and Uber Eats, are in a neck and neck race for the pole position in the US food delivery market, but indications are that DoorDash is winning the war, accounting for 34 percent of all deliveries.
While it’s reassuring that DoorDash has hashed and salted the passwords, in the absence of exact specifics like the hashing algorithm used, it’s hard to say if the passwords are completely secure. What’s more, the fact that drivers’ license numbers were swiped could put them at risk of identity theft.
For now, the same rule of security hygiene applies. In the event you turn out to be among those affected, be vigilant about checking your accounts for suspicious activity and immediately reset your DoorDash password, as well as any other service on which the same (or similar) password was used.
What’s more, reused passwords are still one of the top ways attackers takeover online accounts. Even if just one of your passwords gets exposed, criminals can try that same password across other sites. It’s imperative to not just watch out for phishing schemes, but also secure your logins to prevent credential stuffing attacks.