5M Users’ DoorDash Data Dupe’d by Dastardly Deeds

Another day, another data leak. Gig-economy unicorn DoorDash is the latest security-fail org to admit it’s lost your personal info.

Almost 5 million of you. The company suggests you might want to change your passwords. Uh, yeah, you think?

When will this madness end? In today’s SB Blogwatch, we go get our own takeout.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Gustave’s folly.


Breach was 21 Weeks Ago

What’s the craic? Marie C. Baca reports—“DoorDash data breach affects 4.9 million users”:

 The leaked data may have included names, delivery addresses, phone numbers, order history and the last four digits of customers’ credit cards. Passwords were also compromised, though … “salted” [hashes]. About 100,000 “dashers,” the independent contractors who perform the company’s delivery services, may have had their driver’s license numbers leaked.

DoorDash declined to comment beyond [its] blog post, in which the company said that it “deeply regret[s] the frustration and inconvenience,” [and that] it became aware of “unusual activity involving a third-party service provider” earlier this month. … The company said the credit card and bank account information was not sufficiently complete for unauthorized parties to make fraudulent charges. Still, DoorDash said it is reaching out to all affected users and encouraging them to reset their passwords.

Huh? Shaun Nichols translates—“DoorDash doesn’t just pick up your food orders, it delivers your data to hackers, too”:

 Gig-economy delivery app maker DoorDash is so, so sorry. … The dial-a-serf service said that on May 4 … some miscreant was able to break into one of [its] technology providers.

The mobile application basically [is] like Uber or Lyft but for takeout. … So far, DoorDash says it does not believe any of the passwords have been cracked [but] if you reused the DoorDash password on another site … change that password as well (and, while you’re at it, stop re-using passwords).

Right. And Dan Goodin screams—“Change passwords now”:

 DoorDash … didn’t provide details about the cryptographic hashing regimen used to protect passwords. And a spokeswoman’s email didn’t answer a question seeking that detail.

Many services in the past have used weak algorithms such as MD5 and SHA1. … The result: It’s trivial for the intruders to crack the hashes.

Unless DoorDash says more, people should remain highly skeptical of the company’s claim that the hashing it used made the passwords “indecipherable” and that … user passwords have [not] been compromised. … Anyone who has a DoorDash account should change their password.

[The timeline] leaves open the possibility that the attackers had access for more than 4.5 months. [DoorDash] didn’t address this possibility, and the DoorDash spokeswoman declined to answer a question seeking clarification.

So who is this mysterious “third party”? Doctor Syntax theorizes:

 Is this going to turn out to have been another of those cases where a backup was sitting, world readable, on a cloud provider? … It’s data up to April 5 last year. … That sounds awfully like a stale backup.

Or perhaps it wasn’t a third party? G’day, rtb61:

 There are numerous ways for insiders to steal that information and sell it to criminals and make it look like outsiders. … Insiders are far more likely to be involved. … Download some data and instant bonus or drugs.

Disposable workers = disposable companies = equals disposable customers. Beware handing over you details to the cheapest offshore labour they can find, those details will be in the criminal market before you know.

DoorDash’s own Medium post is helpful and not too PR-speaky. But wow, you should read the ugly comment thread. Like this, from Wouter Vink:

 What you just did is lose/leak information that connects email addresses to physical address. Not cool.

What compensation should we expect from you? You conveniently left that out.

And this gem, from Ben Jones:

 I just called in to the hotline. The person had no idea what was going on and when I asked a question she didn’t know the answer to she hung up.

You basically just gave more than enough information to a 3rd party to engage in countless number of fraudulent acts. Who was the 3rd party?

What other remedies are you offering. Alerting us is not enough.

Similarly, lohphat’s head meets desk:

 So, I just tried to change my password. I can’t.

If you have two-factor-auth enabled on the account, the web UI won’t allow you to change the password. It goes through the motions but fails silently without actually changing the password.

Brilliant.

And several customers allege this isn’t the first hack of DoorDash data. For example, Crystal Henry:

 F*** DoorDash. … Back in February … I told them that it looks like people are using my account and sending deliveries using my profile, and they still deactivated instead of deleting the profile, and the data associated with it.

I hope their company crashes burns and that anyone who has had their identity stolen sues them. When people leave they should not continue to store your data. I wish them the worst.

But who can we trust with our data? Christopher Carver has a fascinating idea:

 What … could we (the Internet) come up with to certify the backend of these services? Like some sort of non-profit open security audit where customers could see if the data behind all these service providers are protected.

Could the Mozilla Foundation step up and offer this as a service? … Where Mozilla grants levels of customer grade security after auditing services and that these service providers would pay to get that stamp of approval.

Is Mozilla a trusted enough foundation that if Lyft had Mozilla stamp of customer data protection and Uber did not, would people start to notice and prefer Lyft because they know the data on the backend is secured? On one hand Mozilla is removed enough to not compromise on customer data protection, but still have skin in the game that if any Mozilla certified service were to be compromised (with) unencrypted data exposed to hurt their branding.

Meanwhile, Working Washington—@workingwa—snarks it up:

 They tried to hide the fact they were stealing tips for about 2 years, so relatively speaking they were quite prompt on this one.

And Finally:

In praise of 19th-century French engineering


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or sbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Ginny Beck (cc:by-sa)

Featured eBook
The Next Generation of Application Security

The Next Generation of Application Security

Application security is usually done by finding, fixing and preventing vulnerabilities, with an emphasis on finding solutions to prevent cybersecurity events in the future. However, many of the breaches we’re seeing are caused by a vulnerability related to the application, often because developers move so quickly to push out new code. AppSec promises to become ... Read More
Security Boulevard

Richi Jennings

Richi is a foolish independent industry analyst, editor, writer, and fan of the Oxford comma. He’s previously written or edited for Computerworld, Petri, Microsoft, HP, Cyren, Webroot, Micro Focus, Osterman Research, Ferris Research, NetApp on Forbes and CIO.com. His work has won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 85 posts and counting.See all posts by richi