• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

DoorDash Supply-Chain Attack

September 27, 2019 By Emil Hozan

DoorDash is a popular food delivery service – and very convenient if I say so myself. However, in the seemingly never-ending trend of cyber attacks, DoorDash, too, fell victim to a supply-chain attack. Earlier this month, DoorDash identified unusual activity via a third-party service. They immediately launched an investigation and have consulted with outside agencies.

 

Fret not, only community members who joined on or before April 5, 2018 were affected. Those who joined after April 5, 2018 are not affected. The total impacted accounts amount to 4.9M records. This includes users, Dashers (those who deliver on DoorDash’s behalf), as well as merchants.

Consumer data includes names, emails, addresses, along with order histories, phone numbers, and hashed and salted passwords. Some consumers’ last four credit card digits were harvested but DoorDash claims that, “…full credit card information such as full payment card numbers or a CVV was not accessed. The information accessed is not sufficient to make fraudulent charges on your payment card.”

Dashers and merchants had their bank account’s last four digits leaked, but the claim of insufficient abilities to make fraudulent charges stands as well. Approximately 100K Dashers had their driver’s license numbers accessed as well.

 

As for what DoorDash is doing, they’re reaching out to the affected parties and upping their security posture to prevent such future instances. Seeing the passwords were hashed and salted, they may be crackable so to error on the side of caution, DoorDash urges customers to change their password and make it unique to only DoorDash. I highly recommend this as well, as using a password manager and unique passwords for various accounts ensures a leaked password is useless for other accounts.

Share This:

Related

Filed Under: Editorial Articles Tagged With: data leak, supply chain attack

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Scratching the Surface of Rhysida Ransomware
  • An Interview with ChatGPT
  • TikTok is Banned, Kind Of
  • How Not to Update Software

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • How Not to Update Software
  • Naming APTs
  • TikTok is Banned, Kind Of
  • Scratching the Surface of Rhysida Ransomware
  • An Interview with ChatGPT
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use