> The information accessed is not sufficient to make fraudulent charges on your payment card.<p>In other words... "We leaked a bunch of your personal information, but at least it's not enough data to steal your money!"<p>All of these leaks have the cumulative effect of making ineffective very commonly used security verification questions: "Can I verify that last 4 of your social? And the last 4 of your credit card?"<p>How long will it take for us to accept that this kind of data can no longer be assumed private? The sooner, the better, mainly so companies stop using it as a secondary form of identity verification.
I'd like to point out, it's not "DoorDash" that has done anything wrong, it's these <i>people</i>:<p>- Andy Fang<p>- Evan Moore<p>- Stanley Tang<p>- Tony Xu<p>They decided our security and privacy wasn't worth as much as hur hur hur growth hacking startup hur hur next uber, and couldn't be arsed to even give us a proper apology.<p>Look at their blog post: not one mention of the words "we sorry, we fucked up".<p>It's all about the other guys.<p>The <i>bad guys</i>.<p>The guys who stole your data <i>not us</i>, and you should change your password with us to protect your account <i>with us</i>.<p>No. That's wrong. Look at the 295 million people who weren't affected -- all the people who don't use doordash at all!<p>That means the best way to protect yourself is to simply not use doordash. Delete it. Delete the email account and the bank/credit card you used with them (ask your bank/credit card company for a new number). Move if you've got to (drivers license details!?!?!?) You have no other protection now- you're fucked. They have your data, and they're only going to risk it again.<p>And remember how difficult it is to get in control of your data again when the next breach happens, the next time you're thinking about signing up with something, or you're getting ready to vote.
The official blog post doesn't give any information about the breach except "We noticed a third-party had unauthorized access to DoorDash data", and the TechCrunch article says that DoorDash responded that they couldn't explain how the breach happened. How are they so sure that they fixed the underlying cause if they don't even know how the third-party got access in the first place?
There is a silver lining in all these data breaches. At some point in time <i>all</i> our data will have been leaked at least once and probably more than once and subsequent leaks will not do any more damage.<p>The safe assumption would then be to not trust any accounts created online without some good old KYC processes in place requiring live verification of identity.
Original blog post: <a href="https://blog.doordash.com/important-security-notice-about-your-doordash-account-ddd90ddf5996#46h35gr24e" rel="nofollow">https://blog.doordash.com/important-security-notice-about-yo...</a><p>From the techcrunch article: "It’s not clear why it took almost five months for DoorDash to publicly reveal the breach. DoorDash spokesperson Mattie Magdovitz say why [sic]."<p>Pretty bad. If personal identity info is exposed, it is irresponsible not to notify users immediately so they can freeze credit and watch for suspicious activity. The blog post did mention a third-party vendor, so it's possible there was a delay, but it's a whole other problem if it took this long to find a breach.<p>This sounds like it could be "flipboard-itis". Flipboard stored passwords insecurely in the beginning (SHA-1), but switched to bcrypt as it scaled. The passwords breached were before 2015, so possibly a similar thing here where they started out with bad security and improved with scale (but left the old stuff behind). I'm guessing Doordash did something similar and improved security as it scaled.
The classic trite "We take the security of our community very seriously." Nearly every corporate communication about a breach says it and often it comes out to have been demonstrably untrue.
(Throwaway account)<p>I used to work for a third-party service provider that merchants send this sort of data to for lots of users. Considering there weren't lots of customers using this provider making similar posts, and Doordash didn't call out the provider, it wouldn't surprise me if a Doordash employee account with that provider got compromised. The blog post was carefully worded to not throw the provider under the bus, but also avoid taking blame, themselves.<p>The telling bit is that the last four digits of credit card numbers were sent. There are only a few types of vendors you'd send that data to.
The official blog post: <a href="https://blog.doordash.com/important-security-notice-about-your-doordash-account-ddd90ddf5996#46h35gr24e" rel="nofollow">https://blog.doordash.com/important-security-notice-about-yo...</a>
I feel bad for the people affected but at least the scummy company got what it deserved for stealing tips (for those unaware, they used to withhold the total tips out of a delivery drivers base compensation so essentially taking the tips for themselves).<p>Now if they could just completely die so a more ethical competitor can take its place it would be even better.
DoorDash is the worst. They inexplicably banned me from their platform after giving me a credit for a bad order. I filed several support tickets over several months and kept getting canned responses about how they were "looking into the issue." Eventually I just switched to Uber Eats.
I've been vending myself unique email addresses for every online account I use for about 3 years. They are nice because I can reply to them like a regular mail and my actual email account gets stripped out automagically.<p>I've been considering making it a product and I wonder in this case what people would want to do when the account data gets leaked?<p>1. blackhole all email to the address.
2. forward all email to some email service that is never/rarely used.
3. flag messages that are not sent from the matching domain (doordash.com in this case).
4. blackhole and generate a new address so the user can go back to door dash and provide a fresh email address.<p>I also wonder if there is any use for meta data on who's trying to email a blackholed email addrress e.g spam blacklisting.
I still worry about DoorDashes security - someone has signed up for services with my email account - not an issue, I just will never verify them. But they had signed up for DoorDash, and I didn't realize it, and then I tried to sign up for the first time via the Android App with that same email account. I selected the email account to my surprise it immediately let me into the other persons account! They had ostensibly set up a password, but I didn't need it and could see their phone number and bits of their payment information. I sent in a support email for that one, and got the account closed, but still, not a great sign.
I propose a way to improve cybersecurity: FINE companies who loose sensitive customer data to hackers. Fines can be calculated according to the "breach severity grid" which is based on the type of data that is lost. For example:<p>1. Personal address, DOB - $15.
2. Each social security $20.
3. Driver license number $25.
4. Bank account numbers $30.
etc.<p>So a loss of 4.9 million social security numbers, DOB and addresses would generate a fine of $171,500,000<p>Problem solved!<p>Now, the company will think 100x times BEFORE collecting consumer data if they can actually PROTECT IT. Build robust security FIRST!
I received the email. I'd asked them to delete my account 6 months ago, and they confirmed at the time they'd "deactivated" it. I guess that wasn't enough to protect me. As an American developer, GDPR seemed like a pain at first, but more and more I wish we had something similar.
Disclosure on this was pretty bad. I got an email saying your password has been reset, if you didnt do this contact support.<p>Removed payment methods from my account and reset the password, but now I assume this was done to all users?
I don't know a great deal about DoorDash, but my understanding is that they're only in the US. If so, they're not bound by the EU's GDPR data breach disclosure timescales, which are "without undue delay and, where feasible, not later than 72 hours" if they're likely to result in a high risk to the rights and freedoms of data subjects, which this seems to fit. Compare that with the apparent <i>five month</i> delay here, with all its attendant risks to the customers whose data was made available. The EU has its flaws, but when I read stories like this I'm really happy I'm covered by GDPR.
After using food delivery and takeout services, I felt the plastic waste it generates is incredible. All the folks that care even a little bit about the environment, please just get out of your homes and just dine-in. Silicon Valley startups just don’t care about the environment, you can change that one person at a time.
This was great to get an email about since doordash does not let users delete accounts. You can only 'deactivate' in a way that is easy to 'reactivate'. If I would have actually been allowed to delete my account many months ago when I asked maybe I wouldn't have had my information leaked.
Is their password change function working? I can't seem to change my pw. It gets to SMS 2FA then appears to fail when I try to verify the token I'm sent and boots me back to the PW change page.
I don't know what's more frustrating to read -- news of these seemingly constant data breaches or news that the latest Windows 10 Update just broke something else.
Once again, the US is sorely lacking regulation w.r.t data breaches. In Europe the breach might have still happened but at least customers would have been told months earlier and there would be some predictable penalties for the companies. I also think that DoorDash would have been more transparent about the steps that lead up to this.<p>We need a US GDPR. Even if there’s nothing like the right to be forgotten, we need data breach regs.
>The breach happened on May 4<p>I don't believe for one second that they didn't know about it for five months! Can someone in the EU please report this so that it's investigated for a GDPR violation?<p>Edit: from the official post on blog.doordash.com:<p>>Earlier this month, we became aware of unusual activity involving a third-party service provider.<p>Of course. This is quite a bit more than the 72 hour window GDPR allows.
I attempted to purge my data from Doordash's servers. They refused, citing GDPR for some reason and saying the best they could do was to "deactivate" my account (while retaining my personal information).
Okay, this has been up for two whole hours, and no one has yet said "OMG, I think I'm going to lose my lunch over this!"<p>Get with it people! The jokes are right there.
This kind of bugs and problems will open the eyes of companies to get on to blockchain.
As a Blockchian enthusiast, i found it is best to store data on it. And in market many companies doing the same too.
to fire more questions and query drop a mail on sagar@trsts.co