US food delivery service DoorDash is in the process of notifying its customers after discovering a data breach affecting millions of consumers.
The firm claimed in a notice published yesterday that an unauthorized party managed to access data on 4.9 million customers.
“Earlier this month, we became aware of unusual activity involving a third-party service provider,” it said. “We immediately launched an investigation and outside security experts were engaged to assess what occurred. We were subsequently able to determine that an unauthorized third party accessed some DoorDash user data on May 4, 2019.”
Users who registered with the platform on or before April 5 2018 are said to be affected. Email addresses, delivery addresses, order history, phone numbers and salted and hashed passwords were stolen, as well as the last four digits of some users’ payment cards.
The last four digits of bank account numbers belonging to some of the firm’s restaurant clients and delivery drivers were also taken, along with the driver’s license numbers of 100,000 delivery staff.
Despite salting and hashing passwords, the firm is advising users to reset their credentials for the site.
Experts were quick to criticize the firm: despite its efforts to encrypt passwords, the stolen data could be used in follow-on attacks, argued Lucy Security CEO, Colin Bastable.
“In the race to grab market share, businesses like DoorDash place security too far down the list,” he argued. “Outsourcing data in-sources cyber-insecurity, and consumers pay the price of a carelessly clicked email phishing link or a targeted spear-phishing attack."
DoorDash is no stranger to security incidents. Back in September 2018 it claimed that reports from multiple users of their accounts being hacked were down to credential stuffing.
In response to that incident, it blocked the suspect IP address trying to take over accounts, integrated with the HaveIBeenPwned? breach notification site, and rolled out two-factor authentication.