"While it's still unknown why DoorDash took nearly five months to publicly announce their breach that happened in early May, the food delivery app company could be subjected to significant fines for not addressing the major security incident more promptly as required by law", said Ben Goodman, senior vice president of global business and corporate development at access management platform provider ForgeRock Inc.
Around 4.9 million DoorDash users have been affected in the breach, which saw personal information including names, physical addresses, phone numbers, email addresses and even order history accessed illegally. Some dashers and merchants may have also had the last four digits of their bank account numbers compromised, according to the company.
The last four digits of some customers' credit cards, as well as the final four digits of merchant and delivery people's bank accounts, were also exposed in some cases.
However, DoorDash has neither clarified the details of how the third party accessed the user's data nor have they explained how the company came to know about the data breach.
"Earlier this month, we became aware of unusual activity involving a third-party service provider", it said.
The data breach was accessed by a third-party service provider on May 4, DoorDash said in an email to customers. DoorDash works with hundreds of restaurants providing the service for them and customers do not mind paying the additional fees.
Many people are also of the opinion that until substantial penalties are levied against these companies, data breaches will continue to occur.
DoorDash denied that there had been any breach and suggested that the customers had been victims of credential stuffing, which would mean that hackers took lists of stolen usernames and passwords found online and used them on other sites.
For further information, you can see DoorDash's FAQ page. Approximately 100,000 Dashers, or those employees who deliver food for the company, had their driver's license numbers accessed as well.
DoorDash said it did not believe passwords were compromised, but advised users to change them to be safe. The company's growth can be attributed to its reach of 3,300 cities across the USA and Canada. This, however, is not sufficient to make fraudulent charges or withdrawals. However, the worst has already happened and the least you can do is change your password right away. DoorDash says it has already increased security around customer data since learning about the breach in May 2019.
Needless to say, you shouldn't be reusing passwords from one account to another, especially when a credit-card number is tied to an account. Users can call the company's dedicated call center available 24/7 for support at 855-646-4683. It launched an investigation that included outside security experts and determined some DoorDash user data was accessed on May 4.