Security & Fraud

DoorDash Says May Breach Hit 4.9M Users


DoorDash has revealed that it was the victim of a data breach in May.

“Earlier this month, we became aware of unusual activity involving a third-party service provider,” the company wrote in a blog post. “We immediately launched an investigation, and outside security experts were engaged to assess what occurred. We were subsequently able to determine that an unauthorized third party accessed some DoorDash user data on May 4, 2019. We took immediate steps to block further access by the unauthorized third party and to enhance security across our platform. We are reaching out directly to affected users.”

It’s unknown why it took DoorDash five months to detect the breach, which impacted around 4.9 million consumers, Dashers (delivery workers), and merchants who joined the platform on or before April 5, 2018. Those affected had their names, email and delivery addresses, order histories, phone numbers and hashed and salted passwords stolen.

For some, the last four digits of their payment cards were taken. However, the company said full credit card information, including complete card numbers or CVVs, was not accessed, and the information taken is not enough to make fraudulent charges on a payment card.

In addition, around 100,000 delivery workers also had their driver’s license information stolen in the breach.

“We have taken a number of additional steps to further secure your data, which include adding additional protective security layers around the data, improving security protocols that govern access to our systems, and bringing in outside expertise to increase our ability to identify and repel threats,” the company added.

The news comes after DoorDash customers complained last year that their accounts had been hacked, which the company denied, according to TechCrunch. Instead, DoorDash claimed attackers were running credential stuffing attacks in which hackers take lists of stolen usernames and passwords and use them on other sites that use the same passwords. Many customers, however, pointed out that their passwords were unique to DoorDash.



The How We Shop Report, a PYMNTS collaboration with PayPal, aims to understand how consumers of all ages and incomes are shifting to shopping and paying online in the midst of the COVID-19 pandemic. Our research builds on a series of studies conducted since March, surveying more than 16,000 consumers on how their shopping habits and payments preferences are changing as the crisis continues. This report focuses on our latest survey of 2,163 respondents and examines how their increased appetite for online commerce and digital touchless methods, such as QR codes, contactless cards and digital wallets, is poised to shape the post-pandemic economy.