Incident Of The Week: 4.9 Million Records Exposed For Food Delivery Service DoorDash

Third-Party Service Provider Blamed For PII And Partial Payment Card Data Breach

Add bookmark

Jeff Orr


You’re hungry but not interested in dressing up and heading out to a restaurant only to wait to be seated and take your turn to order. Take out is an option however you’d need to get dressed and make the trip. This modern need for on-demand gratification in all aspects of our lives has led to a boom in online ordering and delivery services that promise you access to your favorite cuisine without the hassle.

The business model for these services requires juggling a variety of local eateries, drivers that pick up and deliver the food, and hungry consumers that desire immediate satisfaction. All of these online businesses are data-first organizations performing matchmaking and delivering great experiences at the speed of cloud computing. And it doesn’t always work out to plan.

Food delivery service DoorDash announced this week that nearly 5 million user records were accessed by an unauthorized third party in May of this year. A combination of data from DoorDash merchants, its Dasher delivery personnel and end-user consumers were accessed. Users who joined the service after April 5, 2018 are not affected.

DoorDash Breach Notification

DoorDash users were met with a breach notification on Sept 26 when visiting the site’s blog


DoorDash is part of the thriving on-demand ecommerce delivery industry. Retail is one of the three leading U.S. industries reporting data breaches in 2019. Large data sets consisting of millions of user records make retail and ecommerce a prime target for cyber attackers. Skimming fraud and malware infections from legacy point-of-sale terminals continue to plague transaction-oriented businesses; however cloud migration and access misconfigurations are making it easier for cyber pirates to pilfer large troves of data with relative ease.

See Related: Top 8 Industries Reporting Data Breaches In The First Half Of 2019

A spokesperson for the delivery service told TechCrunch that a “third-party service provider” was to blame, though no specific provider was named. Since the breach occurred, DoorDash removed access to the data from the third-party, added additional protective security layers around the data, improved security protocols that govern access to DoorDash systems and brought in outside expertise to increase the company’s ability to identify and repel threats.

Breach by the Numbers

Number of records exposed?

4.9 million

Breach timeframe?

May 4, 2019

Who is impacted?

Consumers, Dashers, and merchants who joined the DoorDash platform on or before April 5, 2018

What information was accessed?

·         Profile information including names, email addresses, delivery addresses, order history, phone numbers, as well as hashed and salted passwords

·         For some consumers, the last four digits of consumer payment cards

·         For some Dashers and merchants, the last four digits of their bank account number

·         For approximately 100,000 Dashers, their driver’s license numbers were also accessed



Nearly 5 months have passed since the data breach occurred and DoorDash is just now making its breach disclosure. Statistics on the time between breach events and breach detection vary. For the 100,000 Dashers whose personally identifiable information (PII) from their driver’s license was lifted, the company did not offer an explanation if and how the drivers’ identities will be repaired.

DoorDash said it does not believe that user passwords have been compromised and the information accessed is not sufficient to make fraudulent charges on payment cards or fraudulent withdrawals from bank accounts. Those affected are encouraged to check bank statements for unusual activity.

This is not the first time that the delivery service has come up related to a data breach. Nearly a year ago to the day, DoorDash customers reported their accounts had been hacked. The company denied it was aware of the data compromise and offered credential stuffing attacks as the likely source. Users refuted the claim, stating that unique passwords used only on the delivery service site were compromised.

See Related: Top 5 Cyber Security Breaches Of 2019 So Far