A hack on food-delivery service DoorDash leaked the personal data of 4.9 million customers, delivery workers, and merchants, the company revealed on Thursday.
The breach took place on May 4, but DoorDash officials didn't learn of it until earlier this month when they noticed unusual activity involving an unnamed third-party service provider. That's what DoorDash says in post, which began: "We take the security of our community very seriously." Data obtained by the attacker could include names, email addresses, delivery addresses, order histories, phone numbers, and cryptographically hashed and salted passwords.
Also exposed were the last four digits of customers' payment cards and the last four digits of delivery workers' and merchants' bank accounts. Drivers license numbers for about 100,000 delivery workers were also accessed.
DoorDash has no evidence to indicate people who joined the service after April 5, 2018, had their data taken. The 4.9 million figure includes only a portion of users who joined on or before that date. The company said it's in the process of directly notifying those affected.
Change passwords now
The DoorDash post didn't provide details about the cryptographic hashing regimen used to protect passwords, and a spokeswoman's email didn't answer a question seeking that detail. The type of hashing DoorDash used is crucial to assessing the severity of the breach.
Hashing is a process that converts a plaintext password such as "Dan'ssupersecurepassword" (not including the quotation marks) into a long string such as
7140e92c2d1e125aabbdab4cdf31cce8. Hashes are one-way, meaning there's no mathematical way to convert hashes into the plaintext they were derived from. Hackers can sometimes work around this protection by running large lists of password guesses through hash generators and looking for results that match the hashes found in a breach. Many services in the past have used weak algorithms such as MD5 and SHA1, which were never intended to be used to protect stored passwords. The result: it's trivial for the intruders to crack the hashes generated with these algorithms.
DoorDash's Thursday assurance that passwords had been hashed means little without knowing the specific algorithm or function used. The fact that thRead More – Source