Security Experts:

Connect with us

Hi, what are you looking for?



DoorDash Breach Exposes Data of Nearly 5 Mn Users

On-demand restaurant meal delivery service DoorDash on Thursday said a breach of its system exposed nearly five million customers, eateries and “Dashers” to a data breach.

On-demand restaurant meal delivery service DoorDash on Thursday said a breach of its system exposed nearly five million customers, eateries and “Dashers” to a data breach.

The San Francisco-based startup, which competes in North America with Uber Eats and GrubHub, said it noticed unusual activity early this month and discovered DoorDash user data was accessed by “an unauthorized third party” in May.

DoorDash assured users in an online post that it immediately blocked the intruder’s cyber access and enhanced system security.

Data was exposed regarding approximately 4.9 million consumers, merchants and delivery people who joined the restaurant meal delivery platform on or before April 5 of last year, according to DoorDash.

Information included names, phone numbers, and email and delivery addresses, along with passwords scrambled to be indecipherable, DoorDash said.

The last four digits of some customers’ credit cards, as well as the final four digits of merchant and delivery people’s bank accounts, were also exposed in some cases.

“The information accessed is not sufficient to make fraudulent charges on your payment card” or withdrawals from bank accounts, DoorDash said.

Driver’s license numbers for some 100,000 delivery people, referred to as “Dashers,” were also exposed.

DoorDash said it did not believe passwords were compromised, but advised users to change them to be safe.

“We deeply regret the frustration and inconvenience that this may cause you,” DoorDash said.

“Every member of the DoorDash community is important to us, and we want to assure you that we value your security and privacy.”

DoorDash at the end of last year was the leading US service to use a mobile app to match restaurant take-away orders with people willing to deliver the meals for a price.

DoorDash in August announced it was acquiring crosstown rival Caviar in a deal valued at $410 million.

DoorDash said it made the cash-and-stock deal with Square, the digital payments firm led by Twitter founder Jack Dorsey, which acquired Caviar in 2014.

While both firms offer on-demand delivery from restaurants online and using smartphone apps, they have different geographic “footprints” and restaurant partnerships.

“The addition of Caviar’s premium restaurants, with whom DoorDash will work closely to drive their growth, will enable the combined organization to cater to every food preference and occasion,” a statement from the companies said at the time.

DoorDash, founded in 2013 by Tony Xu and two other Stanford University students, serves some 4,000 cities in the United States and Canada and reaches some 80 percent of US households.

DoorDash was in the news earlier this year over a tipping policy that allowed the company to use consumer tips to make up base pay for its delivery contractors, a policy that was later modified.

Written By

AFP 2023

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.