Cyber Incident Victim: DoorDash

On September 26, 2019, DoorDash publicly disclosed a security breach affecting approximately 4.9 million users, including customers, delivery personnel ("dashers"), and merchants. The company stated it had detected unusual activity involving a third-party service provider earlier in September 2019, prompting an investigation with external security experts. This investigation revealed unauthorized access to user data on May 4, 2019. The breach impacted individuals who joined the platform on or before April 5, 2018, with those enrolling after this date unaffected. Compromised information included profile names, email addresses, phone numbers, delivery addresses, order histories, and hashed passwords. Approximately 100,000 dashers additionally had their driver's license numbers exposed. For some merchants and dashers, the last four digits of bank account numbers were accessed, while some customers had the final four digits of saved credit card numbers exposed.

DoorDash initiated immediate containment measures by blocking the unauthorized third party's access and began notifying affected users via email, directing them to a public blog post detailing the incident. While asserting no evidence indicated compromised passwords or sufficient financial data for fraudulent transactions, the company recommended password changes as a precautionary measure. Security enhancements implemented included additional protective layers around data, improved access control protocols, and engagement of external cybersecurity expertise to strengthen threat detection capabilities. The breach notification emphasized ongoing monitoring of systems but did not disclose the identity of the third-party service provider involved or specify whether law enforcement was engaged. Impacted users were advised to monitor their financial accounts despite DoorDash's assessment of limited immediate fraud risk from the exposed partial banking information.