DoorDash hacker spills tons of data for 4.9 million people

DoorDash has disclosed the personal data of 4.9 million customers, deliverymen and merchants, DoorDash said Thursday.

The offense occurred on May 4th, but DoorDash officials only became aware of it at the beginning of this month, noticing an unusual activity involving an unnamed third-party service provider. That's what DoorDash wrote in the following message: "We take the safety of our community very seriously." Data obtained by the attacker may include names, email addresses, delivery addresses, order histories, phone numbers and cryptographically hashed and salted passwords.

The last four digits of customer credit cards and the last four digits of the bank accounts of delivery and merchants were also exposed. Driver's license numbers of approximately 100,000 delivery drivers were also consulted.

DoorDash has no evidence that the data of those who joined the service after April 5, 2018 were collected. The 4.9 million figure includes only part of the users who joined on or before that date. The company said it was in the process of directly notifying the people concerned.

Change passwords now

The DoorDash message did not provide details about the cryptographic hash scheme used to protect passwords, and a spokesperson's email did not answer a question that asked for that detail. The type of DoorDash hash that is used is critical to assessing the severity of the violation.

Here's why:

Hashing is a process that converts a password into plain text such as "Dan's ssupersecurepassword" (without the quotation marks) into a long string such as 7140e92c2d1e125aabbdab4cdf31cce8. Hashes are one-way, which means that there is no mathematical way to convert the hashes into clear text from which they are derived. Hackers can sometimes bypass this protection by running long lists of password guessing via hash generators and looking for results that match the hashes detected in a violation. In the past, many services used weak algorithms such as MD5 and SHA1, which had never been designed to protect stored passwords. As a result, it is easy for intruders to decipher the hashes generated with these algorithms.

Thursday DoorDash's assurance that passwords have been chopped up has little importance without knowing the specific algorithm or function used. The fact that the hash routine includes "salt" is encouraging. Indeed, if done correctly, it would take more computing power to allow hackers to crack millions of hashes. But unless DoorDash says more, people should remain extremely skeptical about the company's claim that the hash used made the passwords "indecipherable" and that the company did not think that the passwords users had been compromised.

Anyone with a DoorDash account must change their password for a strong and unique password. Anyone who has used a DoorDash password to protect other sites must also change these passwords.

DoorDash said it took steps to block intruder access after discovering the flaw earlier this month. This leaves the possibility that the attackers had access for more than 4.5 months. Thursday's message did not address this possibility and DoorDash's spokesperson refused to answer a question asking for clarification. DoorDash said people can call 855-646-4683 with questions.