DoorDash data breach: how dashers and customers can safeguard themselves after a third-party breach

Even companies that invest millions in cybersecurity can still fall victim to a data breach. The weak link is often a third-party vendor that lacks strict data safety protocols. When that happens, both employees and customers pay the price.

DoorDash data breaches, both the 2019 and 2022 incidents, showcase exactly what happens when vendors become liabilities.

This article will cover the timeline of both events, information exposed, risks to customers and dashers, and legal repercussions. We will also discuss how to protect yourself if you’ve had your DoorDash account hacked.

Understanding the DoorDash data breach incidents: did DoorDash get hacked?

When you hear about a DoorDash data breach, it’s easy to assume the famous food delivery company was hacked. But the reality is a bit more complex. 

Both DoorDash security breaches were a result of third-party negligence. The company didn’t experience a direct hack; that is, the hackers didn’t break through DoorDash’s actual cybersecurity defenses.

Instead, they targeted companies that were working with DoorDash and had access to its internal systems. By using these third-party vendors as entry points, bad actors got into DoorDash’s databases, which was the end goal.

Delivery platforms, such as DoorDash, collect a massive amount of high-value information, such as their customers’ payment, identity, and location data. This makes them very attractive targets in the eyes of cybercriminals.

DoorDash data breach 2019: Customer, delivery worker & merchant data stolen in a third-party service provider attack

On May 4, 2019, DoorDash experienced a third-party data breach that affected about 4.9 million of its customers, restaurants, and delivery workers. The company spoke out about the incident on September 26, 2019. They never disclosed what exactly happened and which third-party vendor was to blame.

The DoorDash breach allegedly affected only the users who joined after April 5, 2018. If you used the platform before then, you should be safe. The incident exposed the users’ personally identifiable information (PII), partial banking information, and license plate numbers.

DoorDash data breach 2022: Third-party vendor hacked through a sophisticated phishing campaign

On August 25, 2022, DoorDash revealed that it had suffered a third-party data breach earlier that year. Through a successful phishing attack, malicious attackers obtained a third-party employee’s login credentials and gained access to some of the DoorDash internal systems.

DoorDash didn’t reveal what the event timeline was or the identity of the third-party vendor. They did, however, disclose that the vendor fell victim to the same hacker group that targeted the SMS communication firm Twilio. The group, dubbed “0ktapus”, also targeted the password manager LastPass.

The second DoorDash security breach exposed both PII and partial financial information.

What data was exposed in both DoorDash breaches?

DoorDash data breaches exposed highly sensitive information, both PII and financial data.

DoorDash emphasized that the attackers stole only partial banking information, so full numbers and card verification values (CVV) were not taken. But even partial information can be misused in social engineering scams. 

Also, attackers rarely rely on just one breach as a data source. They’ll likely cross-reference your info across different sources to build a more complete profile. With giant data repositories such as the MOAB, that’s now easier than ever.

DoorDash response: too little, too late? 

2019 breach: A five-month delay

DoorDash stated the cyberattack happened in early May 2019, and the official announcement came out almost 5 months later, on September 26, 2019.

The company noticed unusual third-party activity and immediately took steps to block their access. DoorDash hired external security experts to investigate what happened and invested in additional security protocols to prevent future breaches.

They also reached out to the affected users with precise information on what sort of data was exposed. A 24/7 customer support call center was set up to address users’ questions or concerns.

DoorDash didn’t clarify how the attack unfolded, how the fraudsters accessed the users’ data, or when they realized something was going on.

2022 breach: Scarce reporting

DoorDash took immediate action to secure its systems and cut ties with the unnamed third-party vendor. They cooperated with the police, initiated an external investigation with cybersecurity experts, and added extra data security layers. DoorDash employees also reached out to the affected users and advised them on the steps to take.

The second time around, the delivery service did not disclose the exact timing of the breach or the number of affected accounts. However, security researchers later confirmed that approximately 367,476 email addresses linked to the incident appeared in dark web datasets and were indexed by HaveIBeenPwned.

The public frustration

After the 2019 DoorDash data breach, there was a close to 5-month holdup. Many users were upset at being unaware of the incident and unable to take precautions, while the attackers were free to sell and misuse their data.

Others felt like the significance of the 2019 breach was downplayed, especially with the company emphasizing that only partial banking information was exposed. 

“In other words… “We leaked a bunch of your personal information, but at least it’s not enough data to steal your money!” a user wrote on Hacker News.

The public sentiment resulted in significant legal repercussions, including a class action lawsuit.

Legal and reputational consequences after the DoorDash data breach 2019

After the DoorDash data breaches, some of the affected users sought legal action. Gibbs Mura, a law firm based in California, is still investigating the incident and having conversations with the victims.

On October 4, 2019, Nelson v. DoorDash, Inc. class action lawsuit was filed in the state of New York. This lawsuit represented all dashers whose PII, financial information, and driver’s license numbers were exposed in the 2019 DoorDash breach.

The lawsuit accused the delivery company of failing to take steps to protect the user data and to disclose the breach for five months. The case remains active, with no known official settlement reached. However, many people are skeptical about the case outcome or  compensation.

The way DoorDash handled the data breaches had a toll on its reputation. Experts criticized the delivery company for its lack of transparency and delayed notifications. The repeated third-party nature of the incidents may also suggest a loose approach to cybersecurity, no segmentation, and poor access control.

Why are third-party vendor breaches dangerous? 

Phishing or credential theft at vendors gives attackers backdoor access to high-value data. Smaller vendors may lack enterprise-level security controls. Large-scale organizations often work with multiple third-party service providers, so the vast attack surface lets criminals choose which vendor to target.

We’ve already highlighted a fair number of high-profile third-party data breaches where the companies themselves weren’t directly hacked. Cases like the Bank of America data breach, Capital One breach and settlement, Truist data breach, USAA data incident, Target customer data exposure, Comcast breach, and Discord data leak all stemmed from vendor vulnerabilities.

DoorDash customers face a high risk of ID theft, account takeover, and financial fraud. Dashers are also at increased long-term privacy risks, including financial fraud and driver’s license misuse, as well as employment scams.

How to know if your DoorDash account was hacked

If your DoorDash account was hacked, you would have likely received a notification from the company. You can always check for yourself if your email was exposed in DoorDash security breaches using HaveIBeenPwned.

Your account is more likely to have been compromised if you receive unfamiliar login notifications and strange password reset emails, or if you notice unauthorized orders and payment attempts.

What to do if your DoorDash account was breached

• Change your DoorDash password immediately. Make it complex and unique.
  
• Enable 2FA if possible. You can receive codes via SMS or email, but using a separate dedicated app (like Google Authenticator) is more secure.
  
• Monitor bank and card statements for fraudulent activity. Keep a close eye on your finances, as bad actors sometimes make small, test charges.
  
• Freeze your credit. Dashers who had their highly sensitive data exposed, including driver’s licenses and SSNs, might benefit from freezing their credit. This way, no one can open new credit cards or get loans in your name.
  
• Report unauthorized charges to your bank/credit card provider. If you notice any charges you didn’t make, let your financing institution know immediately, so the charges can be disputed.

How to protect your personal information after a breach

With the number of data breaches going on these days, it’s safe to assume all of us will have our PII exposed at some point, so it’s good to know how to handle that situation.

• Use a password manager to avoid credential stuffing. Cybercriminals are crossing their fingers that you’ve used the same email and password across all your accounts. A password manager can help you generate new, complex passwords for each of your accounts.
  
• Set up credit monitoring or fraud alerts. This will provide an extra layer of safety if your financial information was exposed.
  
• Watch out for phishing emails pretending to be DoorDash. After a data breach, phishing attempts typically become more common. Pause and think before clicking on any links. Contact DoorDash customer support directly to check what’s going on.
  
• Limit the personal info stored in delivery apps. The best prevention is to store as little information as possible. 

How Onerep safeguards you from post-breach risks

Cybercriminals often combine stolen data with open-source personal information from data brokers and people-search sites. Enhanced datasets create richer victim profiles and enable more successful ID theft, impersonation, phishing, social engineering attacks, and fraud. They are also more valuable on the dark web.

That’s why it’s crucial to minimize the amount of personal information available on open sources. 

Onerep helps you locate and delete your data from over 240 data brokers and people-search websites. Reducing your personal information exposure leaves cybercriminals with little information to use against you and makes it harder to exploit stolen data.

Frequently Asked Questions 

Did DoorDash have a data breach?

Yes, the first DoorDash data breach happened in 2019, followed by another in 2022. Both were associated with third-party vendors.

How much money are people getting from DoorDash settlement?

The settlement has not yet been reached, so it’s not clear how much money the affected users will receive.

Who qualifies for DoorDash settlement?

The Nelson v. DoorDash class action lawsuit represents all delivery drivers whose PII and financial information had been exposed in the 2019 DoorDash breach.

What if my DoorDash account has been hacked?

If you had your DoorDash account hacked, make sure to change your password and use a password manager, set up credit monitoring or fraud alerts, stay alert for phishing emails, and limit the personal info stored in your delivery apps.