Data breaches have become common these days, with many large companies, including Sony, affected. Given the high-profile and high-risk reports, you’d think companies would be even more careful with the user data they possess. Some, unfortunately, haven’t learned their lesson yet until the same thing happens to them, like what just happened to DoorDash who reported a data breach that affects millions of their users.
This isn’t DoorDash’s first dance with a hacking incident in the past 12 months but it is the first time it acknowledged it. When its users complained last September that their accounts may have been hacked, the company denied it until the matter died down.
This time, DoorDash revealed the attack but blames it on an unnamed third party who had access to DoorDash user data. Based on their investigation, the actual breach took place back in May 4, 2019, which left affected users vulnerable for months. DoorDash, however, clarifies that not all users were affected, just about 4.9 million of them.
Specifically, users who joined after April 5, 2018 are not affected for reasons the company also didn’t explain. Perhaps it had implemented new security measures by then but didn’t roll it out to their whole user base. Perhaps the hacker only got hold of a backup that only had accounts up to April 4, 2018. Whichever the case, not all users before that date were affected either.
DoorDash says it has reached out to those actually affected to warn them of the incident. Stolen information include names, email and delivery addresses, phone numbers, order history, and even some last four digits of payment cards. The company insists that no CVVs were pilfered and that the information is not enough to make fraudulent charges on credit cards, which is why it isn’t offering any credit card monitoring for its affected users. It does promise that its security has been enhanced ever since it detected the unauthorized activity earlier this month.