DoorDash has confirmed a data breach that leaked phone numbers, first and last names, physical addresses, and other information. It’s unclear how many people are affected.
DoorDash said last week, “Our team recently identified and shut down a cybersecurity incident that involved an unauthorized third party gaining access to and taking certain user information. Importantly, no sensitive information was accessed by the unauthorized third party and we have no indication the data has been misused for fraud or identity theft at this time.”
The hackers gained access to DoorDash’s systems through a social engineering scam targeted at one of the company’s employees. The leaked information varies by person, but could include someone’s first and last name, phone number, email address, and physical address. Other private data, like social security numbers, driver’s license information, or payment details, were not accessed.
It’s not clear how many people are affected by the data breach. DoorDash didn’t include that detail in its public report, and it didn’t answer a request for comment from TechCrunch about it. The company only said the data breach included “a mix of consumers, Dashers, and merchants,” and it already notified people “where required.”
This breached credentials dump has millions of actively used passwords
Better change your password.
DoorDash said in its announcement, ” This incident did not involve sensitive information, such as payment or bank account information, and we have no indication that affected personal information has been misused for fraud or identity theft at this time. It is always a good idea to be cautious of unsolicited communications that ask for your personal information or refer you to a web page asking for personal information, and avoid clicking on links or downloading attachments from suspicious emails.”
Unfortunately, this isn’t the first lapse in security at DoorDash. There was another data breach in 2019 that affected roughly 4.9 million delivery people and merchants, which included bank account and payment card details for some accounts. In 2022, DoorDash was one of many companies affected by Twilo’s phishing attacks, which led to leaked personal details for a “small percentage” of users.
If you’re affected by this latest incident, there’s not much you can do besides staying alert for anyone trying to scam you. This one at least doesn’t include payment details or other private information, though it’s still not great to have your address leaked online and linked to other personal information.
Source: DoorDash via TechCrunch