Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Privacy Security Technology

DoorDash Confirms Data Breach Affected 4.9 Million Customers, Workers, and Merchants (techcrunch.com) 29

An anonymous reader quotes a report from TechCrunch: DoorDash has confirmed a data breach. The food delivery company said in a blog post Thursday that 4.9 million customers, delivery workers and merchants had their information stolen by hackers. The breach happened on May 4, the company said, but added that customers who joined after April 5, 2018 are not affected by the breach. It's not clear why it took almost five months for DoorDash to detect the breach.

DoorDash spokesperson Mattie Magdovitz blamed the breach on "a third-party service provider," but the third-party was not named. "We immediately launched an investigation and outside security experts were engaged to assess what occurred," she said. Users who joined the platform before April 5, 2018 had their name, email and delivery addresses, order history, phone numbers, and hashed and salted passwords stolen. The company also said consumers had the last-four digits of their payment cards was also taken, though full numbers and card verification values (CVV) were not taken. Both delivery workers and merchants had the last four-digits of their bank account numbers stolen. Around 100,000 delivery workers also had their driver's license information stolen in the breach.

This discussion has been archived. No new comments can be posted.

DoorDash Confirms Data Breach Affected 4.9 Million Customers, Workers, and Merchants

Comments Filter:
  • There are numerous ways to encrypt your data, I remember MIT did some CryptDB stuff with fully homomorphic encryption, wonder what ever happened to that. Microsoft also has "always encrypted" support, probably other DB vendors as well.

    • Encryption protects data at rest. When someone (or some system) is looking at the data, it need to be decrypted.
      Encrypting your database protects you from someone stealing your hard drives or stealing your database files, but not from someone from attacking the application (XSS + SQL injection) or someone with access just outright taking it and fucking about with it.

      • by e3m4n ( 947977 )

        wow someone gets it... no matter how you encrypt shit, at some point it has to be decrypted to be useful. At that same place, there in lies a vulnerability.

        • You can move that vulnerability around, and even narrow the window. You can make special cryptographic systems that allow useful operations to be performed on encrypted data, without having to decrypt the data. (homomorphic encryption and homomorphic secret sharing)

          Standard practice today isn't necessarily the most secure way we know of, nor is it the pinnacle of technology. New capabilities are being thought of all the time, and eventually some of those new systems will find practical application.

      • Hence the always encrypted, not standard DB encryption. Look up MIT CryptDB.
    • by rtb61 ( 674572 )

      There are numerous ways for insiders to steal that information and sell it to criminals and make it look like outsiders. It happens so often that insiders are far more likely to be involved, I mean underpaid and download some data and instant bonus or drugs. Disposable workers = disposable companies = equals disposable customers. Beware handing over you details to the cheapest offshore labour they can find, those details will be in the criminal market before you know and in this case for over 6 months.

  • by quonset ( 4839537 ) on Thursday September 26, 2019 @06:10PM (#59241036)

    Data breaches have become as common as white men going on mass shooting sprees. It's not even newsworthy any more.

  • by ceoyoyo ( 59147 ) on Thursday September 26, 2019 @06:12PM (#59241042)

    Hey, they weren't completely stupid. They supposedly hashed and salted the passwords, and only kept partial credit card information.

    Perhaps the corps are learning. Crank up the penalties a little higher until they achieve some kind of reasonable standard.

    • Hey, they weren't completely stupid. They supposedly hashed and salted the passwords, and only kept partial credit card information.

      Perhaps the corps are learning. Crank up the penalties a little higher until they achieve some kind of reasonable standard.

      "Around 100,000 delivery workers also had their driver's license information stolen in the breach."

      They were stupid enough

      • Its not the best or worst. Most are worse but we need to call out everyone on '3rd party provider' though because out sourcing is seen as a way to outsource blame, and it shouldnt be when the data was entrusted to the company you gave it too. Accepting outsource of risk and blame potentially increases the chances of this happening and shouldnt be seen as a way for business to wipe their hands of the care and risk and blame someone else when it hits the media.
    • Re: (Score:2, Informative)

      by DogDude ( 805747 )
      Crank up the penalties a little higher until they achieve some kind of reasonable standard.

      What penalties? Right now, in the US, there are zero criminal or civil penalties to a data breach.
      • by ceoyoyo ( 59147 )

        I guess you guys have extra cranking to do then.

        • Re: (Score:3, Interesting)

          by Ryzilynt ( 3492885 )

          Well, a quick and probably insufficient analogy.

          Someone breaks the lock on my front door, or breaks a window.

          Gets in the house and steals my Aunt Elma's phone number from my list of emergency contacts.

          The alarm went off , the police showed up.

          The guy was already gone, and he had stolen Aunt Elma's personal data.

          Have i committed a crime?

          • by DogDude ( 805747 )
            There are literally, as far as I know, no laws in the US about preventing data theft. Sure, it may be illegal to steal data, but I don't think there's a law regarding a company doing certain things to protect its' users data.
          • by ceoyoyo ( 59147 ) on Thursday September 26, 2019 @09:26PM (#59241414)

            As with all analogies, yours is a bit off.

            Try this one:

            You put money in the bank. The bank assures you that it's completely reliable, and will definitely protect your money. It's safe. Trust us. The bank doesn't bother with a vault, security system, or really any standard protections, but just leaves all the cash in clearly marked bags in full view of the plate glass window. It gets stolen. Has the bank committed a crime? Quite likely. It's called negligence most places.

            And even with the bank, you're choosing to give them your money. With many of these companies you don't have a choice whether they retain your information or not.

            • "With many of these companies you don't have a choice whether they retain your information or not."

              You always have the choice to give them your information. If you do not want them to have it, then simply do not let them have it. Nothing hard about that at all.

            • Yeah , but my analogy helped support my argument better. Your analogy helps support yours.

              I think the answer may lie somewhere in the middle.

              Like where most companies are today. They try to protect the data, for the most part.

              If a company tries to protect your data and it is stolen I don't think it should be a crime.

              If a company has knowledge of a vulnerability and does nothing, that should be considered criminal negligence.

              • by ceoyoyo ( 59147 )

                That's usually how the laws work, and not just data protection. It's not illegal to crash into someone else's car. It's illegal to do it on purpose, while drunk, without insurance, or while not following the rules of the road.

                If you're collecting and storing people's valuable information then you have a responsibility to protect it using standard procedures.

    • Hey, they weren't completely stupid. They supposedly hashed and salted the passwords, and only kept partial credit card information.

      Perhaps the corps are learning. Crank up the penalties a little higher until they achieve some kind of reasonable standard.

      Perhaps a little pepper is in order

  • And nobody's going to jail so why even bother to report it? Everybody gets hacked and nobody gets into trouble for it.
  • by Oswald McWeany ( 2428506 ) on Friday September 27, 2019 @07:03AM (#59242244)

    So if the fact that 2/3rds of food delivery people admit to regularly stealing bits of their customer foods and even using the spoons, etc, isn't enough to put you off using them, you have to figure in that it's yet another place to have your data stolen from.

    Is it really that much of a convenience when they're spreading germs and making you have to follow up with loss prevention after your data gets stolen. Sometimes laziness is a very costly thing.

  • In the same vein that we (the Internet) have certificate signing to verify sites with https as a means of consumer protection. What services could we (the Internet) come up with to certify the backend of these services? Like some sort of non-profit open security audit where customers could see if the data behind all these service providers are protected. It would be nice if "audited by ___________" stamp of approval could come with these service providers. Think like "Intel Inside" stamp on products but for
    • Uh no. The Mozilla foundation is part of the problem. Firefox was changed so that local archiver Scrapbook+ would no longer work, and Mozilla spent TWENTY MILLION DOLLARS of DONATION MONEY to buy Pocket which stores pages on someone else's server who then knows what you're saving. Not only did they waste donations buying spyware, they then integrated it into the browser instead of making it an add-on.

      The Mozilla foundation is an event of privacy. Not to the same extent as Google, but in a very real way.

  • Maybe it just doesn't take immediate effect, but I've tried twice now and it's been over 15 minutes. I didn't get any error messages, but when I logged out and back in I still had to use the old one.

    At least 2FA was turned on by default. It's the thought that counts, right?

    I reviewed my order history just to make sure. It looks right. I didn't even realize I could rate my orders and I thought it funny that I could rate the order that I placed for pickup. Yeah, that delivery was excellent! Since then I

"Virtual" means never knowing where your next byte is coming from.

Working...