DoorDash doesn't just pick up your food orders, it delivers your data to hackers, too Gig-economy delivery app maker DoorDash is so, so sorry this Thursday after hackers gained access to nearly five million of its customer accounts. The dial-a-serf service said that on May 4 of this year some miscreant was able to break into one of DoorDash's technology providers, and view account information including the …
I recently, after years of procrastinating, started to use LastPass and have found it both reassuring as well as highly convenient. What I have found surprising though, are the restrictions some sites place on both the accepted characters in a randomly generated password as well as the password length: I found myself criticising one site for disallowing use of #, % and ~ characters, and only allowing up to 20 characters when I wanted to use 25.
I say mostly because they still got hacked, but preventing all hacks is pretty much impossible since there are no truly secure operating systems available to them even if you patch promptly.
But the credit card numbers / bank accounts were just the last four digits, and the passwords were hashed and salted, and they self reported the hack promptly. So basically the hackers got a list of names, addresses, emails, and order details which is useless to identity thieves.
For once, a hack that wasn't. Now back to all the disastrous hacks that reveal all sorts of information that should never have been collected, was improperly handled, and covered up for far too long...
But the credit card numbers / bank accounts were just the last four digits, and the passwords were hashed and salted, and they self reported the hack promptly. So basically the hackers got a list of names, addresses, emails, and order details which is useless to identity thieves.
This isn't quite true.
That information (particularly things like portions of a card number) can be extremely useful when trying to social engineer access to other accounts. Think phoning up support lines with a sob-story to "regain" access to an account, the more credible and correct information you can provide, the more willing the support-agent is likely to be to break protocol to help you out.
So while it can't be used for identity theft directly, it provides information which can be used to help gain access to stuff which *can* more easily be used for identity theft.
But, I agree, the company's response to this appears to have been very good - they've self disclosed and seem to have been storing the minimum data as far as possible. You could argue that they should have encrypted those last-4 digits too, but they're not alone in not doing that.
And they *were* salting and hashing passwords, which is good. Though they don't say what hashing mechanism they were using, if it later turns out it was MD5 or SHA1 then that's really not so good.
The problem is, the person targetted with that info isn't the "owner" of the credit-card, it's the helpdesk person at their service provider.
It doesn't matter whether *you* would accept the last 4, it's whether an advisor at some company you have an account with will.
History shows, sadly, that they will
Well, they were putting their trust and, presumably without informed consent, their customers' trust in a third party. That immediately increases the attack surface.
Is this going to turn out to have been another of those cases where a backup was sitting, world readable, on a cloud provider's disks? From the account given it's data up to April 5 last year accessed on May 4 this year. That sounds awfully like a stale backup.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
