back to article DoorDash doesn't just pick up your food orders, it delivers your data to hackers, too

Gig-economy delivery app maker DoorDash is so, so sorry this Thursday after hackers gained access to nearly five million of its customer accounts. The dial-a-serf service said that on May 4 of this year some miscreant was able to break into one of DoorDash's technology providers, and view account information including the …

  1. Free treacle
    Paris Hilton

    (and, while you're at it, stop reusing passwords)

    "Average" users never will. My office lectures on password security are now bi-annual, but users typically change it to a different child's date of birth

    1. simonlb Silver badge

      Re: (and, while you're at it, stop reusing passwords)

      I recently, after years of procrastinating, started to use LastPass and have found it both reassuring as well as highly convenient. What I have found surprising though, are the restrictions some sites place on both the accepted characters in a randomly generated password as well as the password length: I found myself criticising one site for disallowing use of #, % and ~ characters, and only allowing up to 20 characters when I wanted to use 25.

      1. noboard

        Re: (and, while you're at it, stop reusing passwords)

        I agree, I was horrified when I tried to update my Microsoft password and was told the maximum length was 16 characters. This was a year ago and I don't think they've changed it yet.

  2. Anonymous Coward
    Anonymous Coward

    Door Dash?

    Odd name for a food business.

    A (toilet) Door Dash is something I do when I get the squints.

  3. Anonymous Coward
    Anonymous Coward

    Hey a company that's actually doing things (mostly) right

    I say mostly because they still got hacked, but preventing all hacks is pretty much impossible since there are no truly secure operating systems available to them even if you patch promptly.

    But the credit card numbers / bank accounts were just the last four digits, and the passwords were hashed and salted, and they self reported the hack promptly. So basically the hackers got a list of names, addresses, emails, and order details which is useless to identity thieves.

    For once, a hack that wasn't. Now back to all the disastrous hacks that reveal all sorts of information that should never have been collected, was improperly handled, and covered up for far too long...

    1. Ben Tasker Silver badge

      Re: Hey a company that's actually doing things (mostly) right

      But the credit card numbers / bank accounts were just the last four digits, and the passwords were hashed and salted, and they self reported the hack promptly. So basically the hackers got a list of names, addresses, emails, and order details which is useless to identity thieves.

      This isn't quite true.

      That information (particularly things like portions of a card number) can be extremely useful when trying to social engineer access to other accounts. Think phoning up support lines with a sob-story to "regain" access to an account, the more credible and correct information you can provide, the more willing the support-agent is likely to be to break protocol to help you out.

      So while it can't be used for identity theft directly, it provides information which can be used to help gain access to stuff which *can* more easily be used for identity theft.

      But, I agree, the company's response to this appears to have been very good - they've self disclosed and seem to have been storing the minimum data as far as possible. You could argue that they should have encrypted those last-4 digits too, but they're not alone in not doing that.

      And they *were* salting and hashing passwords, which is good. Though they don't say what hashing mechanism they were using, if it later turns out it was MD5 or SHA1 then that's really not so good.

      1. Anonymous Coward
        Anonymous Coward

        Re: Hey a company that's actually doing things (mostly) right

        Anyone dumb enough to fall for it from providing the last four digits of the credit card number probably falls for the calls "from your credit card company".

        1. Ben Tasker Silver badge

          Re: Hey a company that's actually doing things (mostly) right

          The problem is, the person targetted with that info isn't the "owner" of the credit-card, it's the helpdesk person at their service provider.

          It doesn't matter whether *you* would accept the last 4, it's whether an advisor at some company you have an account with will.

          History shows, sadly, that they will

    2. Doctor Syntax Silver badge

      Re: Hey a company that's actually doing things (mostly) right

      Well, they were putting their trust and, presumably without informed consent, their customers' trust in a third party. That immediately increases the attack surface.

      Is this going to turn out to have been another of those cases where a backup was sitting, world readable, on a cloud provider's disks? From the account given it's data up to April 5 last year accessed on May 4 this year. That sounds awfully like a stale backup.

  4. zaax

    CVV stored?

    I was under the impression that the CVV should not be stored, is this no the case now?

    1. Doctor Syntax Silver badge

      Re: CVV stored?

      They say CVVs were not taken. That implies to me that they weren't stored.

  5. fidodogbreath Silver badge

    Cut out the big-tech middle man

    Go out and get your own damn food. Then your credit card number can be stolen directly from a local business,

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020