DoorDash Breach: 4.9 Million Customers and Merchants

Featured image for DoorDash Breach: 4.9 Million Customers and Merchants

DoorDash, the folks who bring you your Big Macs and local fresh mex, disclosed that the personal data of 4.9 million customers, workers and merchants was compromised including names, email addresses, delivery addresses, order history, phone numbers, as well as hashed, salted passwords (it wasn't made clear what kind of algorithm they use to hash passwords).

Additionally, the last four digits of consumer payment cards and the last four digits of bank accounts may have been exposed in some cases (although they say the full account numbers were not exposed).

It also appears that around 100,000 delivery workers also had their driver’s license information stolen.

While DoorDash is providing notification to customers, the breach happened back in May and it's not clear how the data was accessed; they said they "became aware of unusual activity involving a third-party service provider" which implies API abuse and spelunking -- something that happens when your API security grants far too much access to applications.

GDPR and CPAA both require notification within 72 hours of a breach, and while Doordash only discovered the "unusual activity" within the last month, we, as an industry, still have a long ways to go to identify, notify, and remedy these kinds of breaches.

Cloudentity's end-to-end audit and visibility helps show this kind of unusual activity early, but more importantly, APIs need to be dialed down to specific permissions and consent -- using our integrated CIAM and API Security means you can limit access to only the the specific user data that has granted access to a specific app.

Details can be found on the Doordash announcement:

Important security notice about your DoorDash account

And more news from around the internet can be found below:

TechCrunch:DoorDash confirms data breach affected 4.9 million customers, workers and merchants

Washington Post: DoorDash data breach affects 4.9 million users

Wired: Security News This Week: A DoorDash Breach Exposes Data of 4.9 Million Customers

Most Recent Related Stories

Identity and Authorization At Cloud Scale Read More
When your modern IAM platform isn't modern: the case for authorization and identity microservices. Read More
The Experian Credit Score Breach: What Happened and How to Prevent Future API Data Breaches Read More