Food-delivery service DoorDash announced recently that it fell victim to a data breach. The information of approximately 4.9 million consumers, Dashers, and merchants who joined the platform on or before April 5, 2018, were affected.
DoorDash officials said in a statement that they became aware an unauthorized third party accessed some DoorDash user data on May 4, 2019.
"We took immediate steps to block further access by the unauthorized third party and to enhance security across our platform. We are reaching out directly to affected users," the statement read.
DoorDash said the type of user data accessed could include:
- Profile information including names, email addresses, delivery addresses, order history, phone numbers, as well as hashed, salted passwords.
- For some consumers, the last four digits of consumer payment cards. However, full credit card information such as full payment card numbers or CVVs were not accessed.
- For some Dashers and merchants, the last four digits of their bank account number.
E-commerce chargebacks and fraud consultant, and CNP contributor, Karisse Hendrick noted in a LinkedIn blog post that CNP merchants should be on guard for fraud in the wake of the breach.
"In this case, names, e-mail addresses, order histories and (hashed) passwords were exposed," said Hendrick. "For CNP merchants, this means that credential stuffing, ATOs and new account fraud (for private label cards/lines of credit) are to be expected. While the passwords exposed were hashed, I recently learned those can be exposed fairly easily. (Don't believe me? Hash your password & put it into Google....)"
Hendrick advised merchants who are concerned about overlap between their customer base and DoorDash's to consider sending an e-mail suggesting a password update.
"Continue to be vigilant, with an awareness that there may be a spike in this activity in the coming weeks/months," she said.