Data from profiles of nearly 5 million clients, merchants, and employees of DoorDash delivery company was leaked after a third-party service provider illegally accessed the user information on May 4, 2018.
An article on TechCrunch revealed that several people had tweeted at @DoorDash with complaints of fraudulent transactions on their accounts, as shown in some of the Twitter screenshots.
In some cases, the cyber attackers modified the illegally accessed account details, such as email addresses, to make it tough for the authorized owners to regain access. A further review of the tweets exposed laxity in the manner in which DoorDash responded to the claims, with some users showing frustration for lack of response.
Impact of the Data Breach
A blog post published by DoorDash specified that only those users who joined the platform before April 6, 2018, were affected by the incident. The company suspects that affected data include:
- Profile information such as names, addresses, phone numbers, order transactions, and passwords (DoorDash stored hashed and salted passwords)
- The last four digits of credit cards for some users. Fortunately, the data breach did not leak card verification values (CVV), making it impossible for cybercriminals to commit fraud with the information
- Partial details of merchants and employee bank account numbers. Again, DoorDash specified that this information is not sufficient for hackers to transact on the bank accounts.
- Leaked information for Dasher’s license numbers
Action Taken by DoorDash
“We took immediate steps to block further access by the unauthorized third party and to enhance security across our platform.” DoorDash said in an official notice published on their website. “we are reaching directly to affected users.”
As soon as the attack was discovered, the company implemented additional security layers, improved system access controls, and contracted external security experts to enhance the organization’s cybersecurity posture. Besides, DoorDash encouraged users to reset their passwords.
Things to do if you were affected
Definitely, the organization is concerned about the extent of this data breach. In this case, they have considered taking additional steps to enhance their security. To prevent similar attacks in the future, DoorDash can follow the following steps:
- Security by design: enhance software development to deliver systems free of vulnerabilities. The measures include continuous system testing, authentication safeguards, access controls, and following best programming practices
- Patching: share security updates to patch security holes discovered in a service
- Password policies: endorse a policy that requires users to create strong passwords that are hard to guess
- Traffic monitoring: monitor traffic on online platforms to detect identity theft. DoorDash can deploy automation to monitor web traffic to verify each data subject based on previous evidence
- Security tools: the company can implement other security measures, such as firewall installation, antivirus and anti-malware use, and strong cryptography adoption
- Vendor risk assessment: DoorDash should conduct an appropriate third-party risk assessment before onboarding service providers.
Some of the recommended measures include for individuals include:
- Updating passwords: DoorDash revealed that the cybercriminals gained access to slated and hashed passwords, which means that the platform transformed plain text user credentials to make them unidentifiable. However, it is a decent idea to change the password to a complex one. Besides, users should create a unique password for each online account
- Two-factor authentication: if possible, enable multi-factor authentication to prevent unauthorized access to your account even in situations where hackers figure out your credentials
- Credit monitoring: tweets at @DoorDash handle establish that some fraudulent transactions still occur on hacked user accounts. The attackers could still be transacting using leaked account information. As such, it is imperative to set up a monitoring service to receive alerts about any transactions on credit reports. In case you discover unsolicited transactions on your account, report it immediately to the credit card provider.
- Freezing your credit: a credit freeze prevents fraudulent card registration or loan application using a stolen identity.
- Awareness: it is important to be vigilant to detect scammers contacting you. Do not share personal and credit card information with people calling or emailing you ostensibly from DoorDash. Hackers can use stolen information, such as your name, email address, and partial information about your credit card or bank account number to create an official-looking email requiring you to share your online bank credentials. Besides, they can create a phishing login page that looks like the actual bank’s website. You should be cautious and avoid opening attachments or clicking links on such emails unless you recognize the sender. Better still, contact the company before sharing any requested information.
- Identity theft protection: consider getting a reliable identity theft monitoring and protection service that notifies you if your data is shared on the dark web or used by unscrupulous people to sign up for credit services.
- Insurance: some identity theft prevention services offer an identity theft insurance that can help recover the costs of identity restoration, lost wages, fraudulent payments, and legal fees.
Ultimately, data breaches will keep occurring at an alarming rate. Organizations and individuals, therefore, should consistently take proactive and appropriate steps to keep information safe. In case you detect that you are affected by a similar data breach, act quickly and report to law enforcement to prevent further loss of personal information.