Data breach at DoorDash sees 4.9 million users' personal information stolen
A woman uses her computer keyboard to type while surfing the internet. THE CANADIAN PRESS/Jonathan Hayward
Aleksandra Sagan, The Canadian Press
Published Friday, September 27, 2019 12:28PM EDT
Last Updated Friday, September 27, 2019 4:00PM EDT
An undisclosed number of Canadians are among the roughly 4.9 million DoorDash users, drivers and merchants who had their personal information stolen during a May data breach - the latest in a string of privacy scares in recent years.
“We don't discuss overall user, merchant or Dasher numbers publicly,” wrote spokesperson Mattie Magdovitz in an email when asked how many of the millions impacted were in Canada.
Those whose information was compromised would have been contacted directly by the company, Magdovitz said.
The California-based company is encouraging users to change their passwords via a dedicated reset site, and has set up a call centre for round-the-clock support.
“... Out of an abundance of caution, we are encouraging all of those affected to reset their passwords to one that is unique to DoorDash,” reads an email received by a Canadian customer in Toronto.
The company operates in Toronto, as well as Calgary, Edmonton, Ottawa, Montreal, Regina, Vancouver, Winnipeg and several other Canadian cities.
But the company said only some - not all - of those who started using the app on or after April 5, 2018 were affected.
“For security reasons and because our investigation is still ongoing, I cannot get into specific details,” wrote Magdovitz, when asked why that particular date marked the cutoff.
The date is prior to the company launching operations in some of its Canadian locations. DoorDash became available in Winnipeg this May, for example, and Montreal in August.
Earlier in September, the company noticed what it called “unusual activity involving a third-party service provider,” it said in a statement posted to its blog Thursday. It launched an investigation that included outside security experts and determined some DoorDash user data was accessed on May 4.
It “took immediate steps to block further access” by that party and enhanced its security, the company said.
DoorDash notified law enforcement and regulators, and is assisting them in their ongoing investigation, said Magdovitz.
The stolen data may include profile information, such as users' names, email addresses, delivery addresses and phone numbers. It may also include “hashed, salted passwords,” which the company said make the actual password indecipherable to a third party.
It appears some consumers also had the last four digits of their payment cards taken, while some drivers and merchants had the last four digits of their bank account numbers stolen.
However, the company said the perpetrator or perpetrators did not obtain enough information to make fraudulent charges or withdrawals.
About 100,000 drivers had their driver's license numbers stolen.
The DoorDash breach is one of several large-scale privacy invasions in recent years.
A data breach at Capital One in July exposed the data of about six million Canadians, including roughly a million social insurance numbers, as well as the data of about 100 million American clients.
In June, Desjardins Group revealed a data breach there affected nearly three million members, including individuals and businesses. Names, addresses, birthdates, social-insurance numbers and other private information was leaked.
And in 2017, some 19,000 Canadians had their data compromised as part of a broader breach at Equifax Inc. The breach impacted nearly 150 million people, including the Canadians.
This report by The Canadian Press was first published Sept. 27, 2019.