Estimated reading time: 1 minute, 37 seconds

DoorDash Data Breach Highlights Mobile Ordering Risks

A data breach at DoorDash has brought the issue of cybersecurity vulnerabilities home to the growing mobile-delivery sector.

The food delivery app maker recently announced a breach affecting about 4.9 million consumers, merchants and delivery workers who joined the platform on April 5, 2018, or earlier. The company found out in September that an “unauthorized third party” accessed some data on May 4, 2019, according to a blog post.

As PYMNTS.com notes, the breach is significant given that DoorDash is the leader in the meal delivery market, with a 36% share of sales. From 2016 to 2018, mobile app orders surged 130% by volume, and total mobile order revenues are projected to hit $38 billion by next year, according to the payment news website’s estimates.

DoorDash said in the blog post that the company has taken “immediate steps to block further access by the unauthorized third party and to enhance security across our platform.” DoorDash users who joined after April 5, 2018, were not affected by the breach, the company said.

Compromised information included names, email addresses, delivery addresses, order history and phone numbers, as well “hashed, salted passwords,” which are rendered indecipherable to third parties. The driver’s license numbers of about 100,000 delivery workers were also exposed. Also compromised were the last four digits of some customers’ payment cards and the last four digits of some merchants’ and delivery workers’ bank accounts. Full credit card and banking information was not exposed, according to DoorDash.

A DoorDash spokesperson told TechCrunch the breach was due to a “third-party service provider.” But the company did not name the provider. It was also unclear why the breach went undetected for five months. The revelation follows DoorDash consumers’ complaints almost exactly a year earlier about hacked accounts. The company then said there was no data breach and that credential stuffing, where hackers take lists of stolen login information and test them on other sites, was probably to blame. Some users at the time claimed their DoorDash passwords had been unique.

Read 2898 times
Rate this item
(0 votes)

Visit other PMG Sites:

PMG360 is committed to protecting the privacy of the personal data we collect from our subscribers/agents/customers/exhibitors and sponsors. On May 25th, the European's GDPR policy will be enforced. Nothing is changing about your current settings or how your information is processed, however, we have made a few changes. We have updated our Privacy Policy and Cookie Policy to make it easier for you to understand what information we collect, how and why we collect it.