This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

DoorDash

Summary

DoorDash, the food delivery platform competing with UberEats and Menulog in Australia, disclosed in September 2019 that it had suffered a data breach affecting nearly 5 million users globally, including Australian customers. The breach exposed personal information of customers, delivery drivers, and merchant partners who used the platform. While DoorDash was smaller in Australia than competitors, the breach still affected local users who had signed up for the American-based service.

What Happened

Hacking. Cybercriminals gained unauthorised access to DoorDash's databases containing user information for approximately 4.9 million customers, delivery drivers (known as "Dashers"), and merchant partners worldwide. The stolen data included names, email addresses, delivery addresses, phone numbers, and hashed/salted passwords. For some delivery drivers, the breach also exposed the last four digits of their bank account numbers used for payments. For approximately 100,000 Dashers, driver's license numbers were also compromised. The breach occurred in May 2019 but was not publicly disclosed until September, raising questions about the delay in notification.

Impact on Individuals

  • Delivery Addresses: Home and work addresses where users received food deliveries exposed
  • Account Credentials: Email addresses and hashed passwords compromised, creating password reuse risks
  • Driver Information: Delivery workers had more sensitive data exposed including partial bank details
  • Contact Details: Phone numbers enabling SMS phishing or scam calls
  • Order Patterns: Delivery addresses and account details revealed food ordering habits
  • Global Breach: Australian users affected as part of international incident

For delivery drivers, the exposure of partial financial information and driver's license numbers created additional identity theft concerns.

Response

DoorDash engaged cybersecurity experts to investigate the breach and secure its systems. The company forced password resets for affected users and recommended that anyone who had used the same password on other services change those credentials as well. DoorDash notified approximately 4.9 million affected users worldwide, including Australian customers, via email. The platform implemented enhanced security measures and monitoring to prevent similar breaches. For delivery drivers whose more sensitive information was compromised, DoorDash offered additional support and monitoring services. The company faced criticism for the delay between when the breach occurred in May and when it was disclosed in September, with privacy advocates questioning whether users were notified in a timely manner as required under data protection laws. +++

Verification Source: View original statement