DoorDash, the folks who bring you your Big Macs and local fresh mex, disclosed that the personal data of 4.9 million customers, workers and merchants was compromised including names, email addresses, delivery addresses, order history, phone numbers, as well as hashed, salted passwords (it wasn’t made clear what kind of algorithm they use to hash passwords).
Additionally, the last four digits of consumer payment cards and the last four digits of bank accounts may have been exposed in some cases (although they say the full account numbers were not exposed).
It also appears that around 100,000 delivery workers also had their driver’s license information stolen.
While DoorDash is providing notification to customers, the breach happened back in May and it’s not clear how the data was accessed; they said they “became aware of unusual activity involving a third-party service provider” which implies API abuse and spelunking — something that happens when your API security grants far too much access to applications.
GDPR and CPAA both require notification within 72 hours of a breach, and while Doordash only discovered the “unusual activity” within the last month, we, as an industry, still have a long ways to go to identify, notify, and remedy these kinds of breaches.
Cloudentity’s end-to-end audit and visibility helps show this kind of unusual activity early, but more importantly, APIs need to be dialed down to specific permissions and consent — using our integrated CIAM and API Security means you can limit access to only the the specific user data that has granted access to a specific app.
Details can be found on the Doordash announcement:
Important security notice about your DoorDash account
And more news from around the internet can be found below:
TechCrunch:DoorDash confirms data breach affected 4.9 million customers, workers and merchants
Washington Post: DoorDash data breach affects 4.9 million users
Wired: Security News This Week: A DoorDash Breach Exposes Data of 4.9 Million Customers