DoorDash was hacked; personal details of 5 million customers and employees leaked

Data protection specialists report that DoorDash has become the victim of a data breach incident. Through a post on its official blog, the food delivery company reported that an unidentified group of hackers managed to extract about 4.8 million customers, employees and delivery histories records.

Among the millions of records exposed during the incident are:

  • Full names
  • Phone numbers
  • Email address and delivery address
  • Delivery history
  • Hashed passwords

In addition, DoorDash mentions that the card numbers of some customers, dealers and merchants were also extracted, although these were not complete and the security numbers remain completely protected.

Company employees mentioned that the intrusion occurred last May 4th, although they don’t add more details, so it’s still a mystery how this incident went unnoticed for more than four months. The company added that customers who started using this service after April 5 will not be affected by the data theft.

Mattie Magdovitz, the company’s communications manager, says the incident is the fault of one of the third-party service providers: “We barely detected the incident, we just started investigating; we are working with data protection experts to determine what exactly happened,” the spokeswoman added. The name of the indicated external company was not disclosed. 

Unfortunately, this is not the first time DoorDash has incurred data privacy scandals. Last year, multiple clients of the company reported the hacking of their accounts; although DoorDash initially denied a cybersecurity incident, the explanation they offered left affected users unsatisfied.  

According to data protection specialists from the International Institute of Cyber Security (IICS) the incident that occurred last year in DoorDash was a credential stuffing attack, in which hackers use leaked passwords from others online platforms to try to access other accounts, another example about how non recommended it is to use the same password on different websites.