DoorDash has confirmed a data breach.
The food delivery company said in a blog post Thursday that 4.9 million customers, delivery workers and merchants had their information stolen by hackers.
The breach happened on May 4, the company said, but added that customers who joined after April 5, 2018 are not affected by the breach.
It’s not clear why it took almost five months for DoorDash to detect the breach.
DoorDash spokesperson Mattie Magdovitz blamed the breach on “a third-party service provider,” but the third-party was not named. “We immediately launched an investigation and outside security experts were engaged to assess what occurred,” she said.
Users who joined the platform before April 5, 2018 had their name, email and delivery addresses, order history, phone numbers and hashed and salted passwords stolen.
The company also said consumers had the last four digits of their payment cards taken, though full numbers and card verification values (CVV) were not taken. Both delivery workers and merchants had the last four digits of their bank account numbers stolen.
Around 100,000 delivery workers also had their driver’s license information stolen in the breach.
The news comes almost exactly a year after DoorDash customers complained that their accounts had been hacked. The company at the time denied a data breach and claimed attackers were running credential stuffing attacks, in which hackers take lists of stolen usernames and passwords and try them on other sites that use the same passwords. But many of the customers we spoke to said their passwords were unique to DoorDash, ruling out such an attack.
When asked at the time, DoorDash could not explain how the affected accounts were breached.
On Thursday, DoorDash announced in a blog post that an “unauthorized third party” had accessed user data of approximately 4.9 million “consumers, Dashers, and merchants.” DoorDash said names, email addresses, delivery addresses, order histories, phone numbers, and hashed, salted passwords all “could” have been accessed. But it’s not clear what, if anything, might have been done with the data by the third party.
Some financial information was also accessed. DoorDash said that “for some consumers,” the last four digits of payment cards were accessed, but full card numbers and CCV numbers were not. In addition, some couriers and merchants also had the last four digits of their bank account numbers accessed. Approximately 100,000 of the company’s delivery workers had their driver’s licenses compromised as well.
DoorDash said the data was accessed on May 4th, but the company did not discover the breach until sometime after it began an investigation earlier this month of “unusual activity involving a third-party service provider.” The company is informing customers affected by the breach now. The breach is believed to have primarily targeted DoorDash users who signed up on or before April 5th, 2018, although the company recommends changing your password regardless of when you signed up, “out of an abundance of caution.”
The breach comes about a year after some DoorDash customers said their accounts had been hacked, but DoorDash told TechCrunch at the time that there had not been a data breach. We’ve reached out to DoorDash for comment and will update this article with anything we hear.
Correction, 6:52 PM ET: The breach is believed to have primarily targeted DoorDash users who signed up on or before April 5th, 2018, not just those who signed up before April 5th, 2018, as we originally stated.
A whistle-blower complaint about a potentially coercive phone call President Donald Trump had in July with Ukrainian president Volodymyr Zelensky led to a congressional hearing and full-on impeachment inquiry this week. At one point in the call, Trump brought up the cybersecurity incident response firm Crowdstrike, indicating that he still doesn’t believe the US intelligence community conclusion that Russia hacked the Democratic National Committee and meddled in the 2016 election. Here’s a map of all the code connections between Russia’s hacker groups, in case you need a quick refresher.
Meanwhile, we walked through the privacy and security settings you should know about in Apple’s new iOS 13 mobile operating system, but Apple is still being rocked by game-changing iOS device security revelations. On Friday, a researcher published a rare exploit that can be used to jailbreak almost every iOS device released between 2011 and 2017, namely every iPhone model from 4S to X.
Findings from the Defcon Voting Village show that voting machines currently in use still contain vulnerabilities discovered more than a decade ago. Google apologized on Monday for how it had been handling human review of audio snippets captured by smart speakers and other devices. The cameras in Ring doorbells are capturing small moments that used to go unseen and changing cultural norms. And the internet infrastructure firm Cloudflare relaunched its security-focused VPN after, ahem, a rocky start.
If all of that isn’t enough for you, read this excerpt from Edward Snowden’s new book Permanent Record to hear, in his own words, why he became a whistle-blower.
And there’s more! Every Saturday we round up the security and privacy stories that we didn’t break or report on in-depth but which we think you should know about nonetheless. Click on the headlines to read them, and stay safe out there.
In a September 17 class action lawsuit, first announced in July, FedEx shareholders allege that the company’s executives didn’t disclose the full damage wreaked by the 2017 NotPetya cyberattacks and its destabilizing affects on a European acquisition. It further alleges that simultaneously those same executives sold tens of millions of dollars-worth of stock in the company collectively. The NotPetya attacks are the most costly and destructive in history, totaling $10 billion in worldwide damages.
Earlier this month, security firm Volexity revealed that a likely Chinese hacking campaign had used a collection of iOS zero-day exploits—initially revealed by Google’s Project Zero research team—to infect the phones of the country’s Uyghur minority group. So it comes as little surprise that the same hacking campaign also extended to the other perennial victim of China’s hacking and surveillance: Tibetan activists and exiles. The civil society-focused security research group Citizen Lab revealed that a hacking campaign linked to the Uyghur attacks also targeted Tibetans, including the staff of the Dalai Lama, hacking both iOS and Android with one-click attacks delivered in WhatsApp messages that exploited now-patched vulnerabilities in web browsers.
This week, YouTubers dealt with a flood of account takeovers that seem to have particularly targeted creators focused on auto-tuning and car reviews. Dozens of complaints showed up on Twitter and in YouTube support forums after what appears to be a coordinated phishing assault that grabbed users’ credentials. After infiltrating accounts, the hackers re-assigned compromised channels to new owners and then changed their custom URL to make it seem like the accounts had been deleted.
Google Keystone, which manages Chrome updates, had a bug this week that could damage the file system on computers running macOS and even cause data corruption. A series of video editors in Hollywood first noticed the issue when their Mac Pros wouldn’t boot. Some of the configurations used with third-party graphics cards in Mac Pros made film industry professionals more susceptible to suffer damage from the bug. Google paused rollout of the offending Chrome update until it could provide a fix and instructions for regaining access to the bricked Macs.