The demand for food delivery services like DoorDash has skyrocketed in the wake of the Coronavirus pandemic. Since we give these apps a treasure trove of personal and banking information, you need to ask yourself, is my information safe?
A massive DoorDash data breach by a third party was discovered in May 2019. A slew of personal information and financial details were compromised during the leak putting many at risk of a cyberattack.
So how do you find out if you were affected by the DoorDash data leak? And what can you do about it, if so?
DoorDash Data Breach
The monster leak, reported by DoorDash in a blog post in September 2019, compromised the data of up to 4.2 million users, Dashers, and yes, even merchants.
Among the slew of information leaked was profile information including names, email addresses, phone numbers, people’s order histories, and worse, home addresses. So there’s a chance that a creeper knows everything about you now—including where you live!
Aside from this, the leak exposed hashed and salted passwords.
Hashing and salting are functions similar to standard encryption that sites use to protect passwords from hackers. Unlike encryption, hashing isn’t designed to be reversible but many cybercriminals have found ways to crack even hashed passwords.
Furthermore, the leak exposed the last four digits of their customer’s credit cards or payment details, plus the last four digits of their merchant’s and Dasher’s bank account numbers.
Around 100,000 Dashers also had their driver’s license numbers exposed.
Have You Been Affected by the DoorDash Data Breach?
UPDATE: Christmas is about so much more than presents!
— Billy Hensley (@HensleyTweets) December 18, 2020
Hackers stole $313 from my @DoorDash account, and @DoorDash_Help couldn't recover the money, but the good @dfwticket P1s, led by @tweetgrubes, helped by sending $240 to my paypal thewirerims@gmail.com
Thank yall so much!!! pic.twitter.com/SEz2Rws01P
DoorDash contacted all those affected so you may have received an email around the time the leak happened.
If you don’t think you got one, or don’t recall getting one, it’s best to search through your inbox and folders to check if you may have missed it.
The data leak affected users who joined the platform on or before April 5, 2018, so another way to check if you were part of the leak is to check your sign-up date. Search your inbox for your confirmation email, or your order history in the app. You can also double-check the transactions in your credit card statement to trace when you started ordering.
Have I Been Pwned?
There’s a nifty site you can use to check if the email address associated with your DoorDash account has been part of any data breaches or leaks. Have I Been Pwned offers a simple interface where you can type in your email address to check. The site searches for data breaches with leaked information tied to that address.
Their Pwned Passwords service checks people’s passwords against previous data breaches too.
If you want to be notified when your email gets caught up in a future data leak, you can subscribe to their free email notification service.
What Other Breach Checkers Can I Use?
$MeeshaLee18 - Single mom; struggling to make ends meet already and then my DoorDash account was hacked and $380 stolen from me. Fighting with #DoorDash now but I have lost hope of getting that money. Any little bit helps. Thank you! 🙏 pic.twitter.com/KBAgtdrJzN
— Michelle Burns (@Michell09401370) April 1, 2020
Aside from Pwned, you can also use Breach Alarm and Dehashed.
Breach Alarm checks your email against recent data breaches against a list of information posted by hackers. Dehashed is a comprehensive data breach search engine that checks not just emails but also names and usernames.
These sites work by aggregating data from the deep web. Such data is obtained after a leak and posted by hackers.
Google Account Security
Google too, has a way for you to check if your Gmail has been part of a data leak through the Google Account Setting. When you open your Gmail, click the dotted box beside your icon on the top right corner of your browser. Then go to account.
Here you’ll see a big red warning notifying you of critical security issues found i.e. if your email was part of a recent data leak. You can click take action to go to security check-up. Here you’ll see if your saved passwords have been part of which leak. At the bottom, you’ll even see a list of third-party apps that have access to your data. You can remove access to these right here.
What Can Cybercriminals Do With My Information?
For the person in Mesquite, TX who somehow managed to hack into my @DoorDash account even though I have two types of Authenticator up.
— Elix (@Elix_9) January 21, 2021
If you truly cannot afford the chicken at Jack in the Box and are hungry, hit me up, I’ll buy it for you ❤️ pic.twitter.com/3ndVLRXRNJ
Cybercriminals can sell your information on the dark web. According to reports, DoorDash accounts with attached credit card details are being peddled on the dark web for a few dollars.
While some petty thieves can use it to simply get a free meal sometimes even using your DoorDash credits, advanced hackers can purchase the email and cracked passwords in bulk. These can be tested against other sites in an attack called credential stuffing. If successful they can infiltrate your bank accounts and drain the funds, use your credit card to make expensive purchases, or use your accounts for phishing attacks against your contacts.
Furthermore, your PII can be used for identity theft or other crimes.
What To Do If My Information Was Compromised?
If you were part of the leak there’s a chance that your information’s already out for sale on the dark web. Someone may already have your information and have been waiting to attack. Even though the leak happened years ago, some hackers wait months even years to initiate a cyber-attack.
To secure your accounts, first, you can change your passwords immediately. Then enable two-factor authentication (2FA) or multi-factor authentication (MFA) if possible. Check your bank and credit card statements for dodgy transactions you may have missed. Watch out for phishing emails and keep your AV up to date.
Contact your banking institution and notify them about the situation. If you notice dodgy transactions in any of your accounts you may need to close this account and open a new one. Although others take it a step further by ordering a credit report. Here you can see all listed accounts and check if there are new accounts you don’t recognize. You can even request a fraud alert or credit freeze if needed.
Guard Your Data
The DoorDash data leak shows that even tech giants and popular platforms are not immune to breaches.
There are ways to find out if your information has been compromised in the DoorDash 2019 leak. And when you find out that your information has been leaked there are steps you can do to secure your data, but you need to act fast.