Users who joined DoorDash before April 5, 2018 had their name, email, delivery addresses, order history, phone numbers, banking, and credit card details stolen. The breach happened May 4, but the company didn’t reveal why it took them 5 months to discover the breach.
DoorDash would have you believe they are the victim, and blamed an unnamed subcontractor, but shoddy security practices yet again appear to be the root cause, leaving the door wide open for enterprising cybercriminals.
DoorDash, a food delivery company, operates in 4,000 cities, including 92 markets scattered across every Canadian province.
The news comes almost exactly a year after DoorDash customers complained that their accounts had been hacked. The company at the time denied a data breach and claimed attackers were running credential stuffing attacks, in which hackers take lists of stolen usernames and passwords and try them on other sites that use the same passwords. But many of the customers we spoke to said their passwords were unique to DoorDash, ruling out such an attack.
There’s an important difference with this hack that Cory Doctorow at Boing Boing notes »
Doordash, by its nature, includes the home addresses of people who otherwise avoid disclosing where they live.
People at risk from doxing, swatting, stalking, and other forms of privacy invasion take great pains to keep their home addresses secret, such as renting private mailboxes and having all correspondence and deliveries sent to those addresses.