> The information accessed is not sufficient to make fraudulent charges on your payment card.
In other words... "We leaked a bunch of your personal information, but at least it's not enough data to steal your money!"
All of these leaks have the cumulative effect of making ineffective very commonly used security verification questions: "Can I verify that last 4 of your social? And the last 4 of your credit card?"
How long will it take for us to accept that this kind of data can no longer be assumed private? The sooner, the better, mainly so companies stop using it as a secondary form of identity verification.
Surely the actual problem here is that the responsibility for reliable identification somehow falls on the consumer, not the bank or what have you?
I'll give an example: if I get a phishing email claiming to be from my bank, and end up wiring them $1000, I'm out $1000 for not having done the due diligence for verifying that it in fact was my bank; my bank doesn't suddenly owe me $1000. Somehow, though, if some 3rd party convinces the bank they're me, and withdraws $1000 from my account, I'm at fault as a victim of "identity fraud" (and am again out $1000, but this time as a result of my bank's incompetence).
If the onus for verifying your identity were on institutions (and, consequently, the losses in cases of failure to do so) I'm confident that we would have much more reliable means of personal identification magically pop into existence.
Hell, imagine how many scans of people’s passports and driver’s licenses are sitting in databases waiting to be leaked, yet images of those documents let you authenticate with all sorts of financial institutions online from banks to Coinbase to Paypal.
We really need to rethink all this. Until then, it feels like mere luck that today wasn’t the day someone decided to social engineer their way into your life.
Alternative, when do we start using proxy services that give minimal, fake information that forwards to our real identity? Apple sign-in was an understated release, but it will be one of the company's flagship products in years to come.
The cynic in me thinks they leaked names, addresses, and credit card numbers but not the CVV number. Without the CVV it's not technically possible to make charges, so it would not be a lie.
I think it's been clear since Equifax that private data can't be used to prove identity. I honestly wish the hacker behind that attack just gave away the entire dataset to the public. It would have stung a little at first, but it would have saved society a ton of time and money on the long run.
At least with a drivers license it should be pretty easy to commit identity theft and sign up for credit cards/open bank accounts with that person’s identity.
I'd like to point out, it's not "DoorDash" that has done anything wrong, it's these people:
- Andy Fang
- Evan Moore
- Stanley Tang
- Tony Xu
They decided our security and privacy wasn't worth as much as hur hur hur growth hacking startup hur hur next uber, and couldn't be arsed to even give us a proper apology.
Look at their blog post: not one mention of the words "we sorry, we fucked up".
It's all about the other guys.
The bad guys.
The guys who stole your data not us, and you should change your password with us to protect your account with us.
No. That's wrong. Look at the 295 million people who weren't affected -- all the people who don't use doordash at all!
That means the best way to protect yourself is to simply not use doordash. Delete it. Delete the email account and the bank/credit card you used with them (ask your bank/credit card company for a new number). Move if you've got to (drivers license details!?!?!?) You have no other protection now- you're fucked. They have your data, and they're only going to risk it again.
And remember how difficult it is to get in control of your data again when the next breach happens, the next time you're thinking about signing up with something, or you're getting ready to vote.
The official blog post doesn't give any information about the breach except "We noticed a third-party had unauthorized access to DoorDash data", and the TechCrunch article says that DoorDash responded that they couldn't explain how the breach happened. How are they so sure that they fixed the underlying cause if they don't even know how the third-party got access in the first place?
There is a silver lining in all these data breaches. At some point in time all our data will have been leaked at least once and probably more than once and subsequent leaks will not do any more damage.
The safe assumption would then be to not trust any accounts created online without some good old KYC processes in place requiring live verification of identity.
Totally agree! As a bit of self-promotion, my company (Berbix) is trying to solve this by automating ID checks and being the best possible stewards of this sensitive data: http://berbix.com
From the techcrunch article: "It’s not clear why it took almost five months for DoorDash to publicly reveal the breach. DoorDash spokesperson Mattie Magdovitz say why [sic]."
Pretty bad. If personal identity info is exposed, it is irresponsible not to notify users immediately so they can freeze credit and watch for suspicious activity. The blog post did mention a third-party vendor, so it's possible there was a delay, but it's a whole other problem if it took this long to find a breach.
This sounds like it could be "flipboard-itis". Flipboard stored passwords insecurely in the beginning (SHA-1), but switched to bcrypt as it scaled. The passwords breached were before 2015, so possibly a similar thing here where they started out with bad security and improved with scale (but left the old stuff behind). I'm guessing Doordash did something similar and improved security as it scaled.
They really should have given some actual information, i.e. how the information was stored. I want to know what algorithm was used, not how "it was securely stored so people still can't take your money" or some other corporate-speak intended to mitigate the damage.
The classic trite "We take the security of our community very seriously." Nearly every corporate communication about a breach says it and often it comes out to have been demonstrably untrue.
I used to work for a third-party service provider that merchants send this sort of data to for lots of users. Considering there weren't lots of customers using this provider making similar posts, and Doordash didn't call out the provider, it wouldn't surprise me if a Doordash employee account with that provider got compromised. The blog post was carefully worded to not throw the provider under the bus, but also avoid taking blame, themselves.
The telling bit is that the last four digits of credit card numbers were sent. There are only a few types of vendors you'd send that data to.
I feel bad for the people affected but at least the scummy company got what it deserved for stealing tips (for those unaware, they used to withhold the total tips out of a delivery drivers base compensation so essentially taking the tips for themselves).
Now if they could just completely die so a more ethical competitor can take its place it would be even better.
The part where they didn’t tell the customers they were doing this is definitely scummy. The pure economics of it is more complicated—DoorDash was redistributing the “tips” to effectively guarantee higher minimum payment per order (a lot of customers don’t tip at all as the social expectations with the delivery apps are not as well established), and after they’ve changed the policy a number of dashers see their overall pay has decreased through no fault of their own (there can be many factors that are correlated with giving more 0 tips in a given area/route that have nothing to do with the driver).
The honest thing to do would have been to raise the delivery fees across the board, but that doesn’t attract customers. The seemingly optional “tip” preys on the customer’s mistaken assumptions and was used as a sneaky way to achieve the same thing.
They did no such thing, and I find it frustrating that people keep repeating this falsehood. Doordash promised to pay drives at least $X (where X was, I believe $1 or something like that) AND that the driver will make at least $Y from the delivery. The driver always gets the tip, plus a variable amount from DD. This is _exactly_ how it works for wait staff in restaurants in most states, except that is by hour instead of delivery. For example, in MA, the restaurant pays out a minimum of $3.75 (wait staff minimum wage in MA) and guarantees that the wait-person makes $11 (actual minimum wage). See https://www.dol.gov/whd/state/tipped.htm
DoorDash is the worst. They inexplicably banned me from their platform after giving me a credit for a bad order. I filed several support tickets over several months and kept getting canned responses about how they were "looking into the issue." Eventually I just switched to Uber Eats.
I've been vending myself unique email addresses for every online account I use for about 3 years. They are nice because I can reply to them like a regular mail and my actual email account gets stripped out automagically.
I've been considering making it a product and I wonder in this case what people would want to do when the account data gets leaked?
1. blackhole all email to the address.
2. forward all email to some email service that is never/rarely used.
3. flag messages that are not sent from the matching domain (doordash.com in this case).
4. blackhole and generate a new address so the user can go back to door dash and provide a fresh email address.
I also wonder if there is any use for meta data on who's trying to email a blackholed email addrress e.g spam blacklisting.
I still worry about DoorDashes security - someone has signed up for services with my email account - not an issue, I just will never verify them. But they had signed up for DoorDash, and I didn't realize it, and then I tried to sign up for the first time via the Android App with that same email account. I selected the email account to my surprise it immediately let me into the other persons account! They had ostensibly set up a password, but I didn't need it and could see their phone number and bits of their payment information. I sent in a support email for that one, and got the account closed, but still, not a great sign.
I propose a way to improve cybersecurity: FINE companies who loose sensitive customer data to hackers. Fines can be calculated according to the "breach severity grid" which is based on the type of data that is lost. For example:
1. Personal address, DOB - $15.
2. Each social security $20.
3. Driver license number $25.
4. Bank account numbers $30.
etc.
So a loss of 4.9 million social security numbers, DOB and addresses would generate a fine of $171,500,000
Problem solved!
Now, the company will think 100x times BEFORE collecting consumer data if they can actually PROTECT IT. Build robust security FIRST!
I received the email. I'd asked them to delete my account 6 months ago, and they confirmed at the time they'd "deactivated" it. I guess that wasn't enough to protect me. As an American developer, GDPR seemed like a pain at first, but more and more I wish we had something similar.
I don't know a great deal about DoorDash, but my understanding is that they're only in the US. If so, they're not bound by the EU's GDPR data breach disclosure timescales, which are "without undue delay and, where feasible, not later than 72 hours" if they're likely to result in a high risk to the rights and freedoms of data subjects, which this seems to fit. Compare that with the apparent five month delay here, with all its attendant risks to the customers whose data was made available. The EU has its flaws, but when I read stories like this I'm really happy I'm covered by GDPR.
[+] [-] cj|6 years ago|reply
In other words... "We leaked a bunch of your personal information, but at least it's not enough data to steal your money!"
All of these leaks have the cumulative effect of making ineffective very commonly used security verification questions: "Can I verify that last 4 of your social? And the last 4 of your credit card?"
How long will it take for us to accept that this kind of data can no longer be assumed private? The sooner, the better, mainly so companies stop using it as a secondary form of identity verification.
[+] [-] hchasestevens|6 years ago|reply
I'll give an example: if I get a phishing email claiming to be from my bank, and end up wiring them $1000, I'm out $1000 for not having done the due diligence for verifying that it in fact was my bank; my bank doesn't suddenly owe me $1000. Somehow, though, if some 3rd party convinces the bank they're me, and withdraws $1000 from my account, I'm at fault as a victim of "identity fraud" (and am again out $1000, but this time as a result of my bank's incompetence).
If the onus for verifying your identity were on institutions (and, consequently, the losses in cases of failure to do so) I'm confident that we would have much more reliable means of personal identification magically pop into existence.
[+] [-] hombre_fatal|6 years ago|reply
We really need to rethink all this. Until then, it feels like mere luck that today wasn’t the day someone decided to social engineer their way into your life.
Everything is so precarious.
[+] [-] paxys|6 years ago|reply
[+] [-] ajhurliman|6 years ago|reply
[+] [-] nwallin|6 years ago|reply
I think it's been clear since Equifax that private data can't be used to prove identity. I honestly wish the hacker behind that attack just gave away the entire dataset to the public. It would have stung a little at first, but it would have saved society a ton of time and money on the long run.
[+] [-] tempsy|6 years ago|reply
[+] [-] rhizome|6 years ago|reply
[+] [-] boobePhuu7iet7i|6 years ago|reply
[+] [-] dmix|6 years ago|reply
Besides maybe the bank
[+] [-] antihero|6 years ago|reply
[+] [-] geocar|6 years ago|reply
- Andy Fang
- Evan Moore
- Stanley Tang
- Tony Xu
They decided our security and privacy wasn't worth as much as hur hur hur growth hacking startup hur hur next uber, and couldn't be arsed to even give us a proper apology.
Look at their blog post: not one mention of the words "we sorry, we fucked up".
It's all about the other guys.
The bad guys.
The guys who stole your data not us, and you should change your password with us to protect your account with us.
No. That's wrong. Look at the 295 million people who weren't affected -- all the people who don't use doordash at all!
That means the best way to protect yourself is to simply not use doordash. Delete it. Delete the email account and the bank/credit card you used with them (ask your bank/credit card company for a new number). Move if you've got to (drivers license details!?!?!?) You have no other protection now- you're fucked. They have your data, and they're only going to risk it again.
And remember how difficult it is to get in control of your data again when the next breach happens, the next time you're thinking about signing up with something, or you're getting ready to vote.
[+] [-] standardUser|6 years ago|reply
[+] [-] dvtrn|6 years ago|reply
[+] [-] quickthrower2|6 years ago|reply
[+] [-] Nas808|6 years ago|reply
[+] [-] dx87|6 years ago|reply
[+] [-] jacquesm|6 years ago|reply
The safe assumption would then be to not trust any accounts created online without some good old KYC processes in place requiring live verification of identity.
[+] [-] nwsm|6 years ago|reply
[+] [-] basicplus2|6 years ago|reply
[+] [-] roemance|6 years ago|reply
We've gone to great lengths to secure ID and DL information and have even built a watermarking service to track all access to these images: https://docs.berbix.com/docs/transactions#section-watermarki...
[+] [-] big_chungus|6 years ago|reply
From the techcrunch article: "It’s not clear why it took almost five months for DoorDash to publicly reveal the breach. DoorDash spokesperson Mattie Magdovitz say why [sic]."
Pretty bad. If personal identity info is exposed, it is irresponsible not to notify users immediately so they can freeze credit and watch for suspicious activity. The blog post did mention a third-party vendor, so it's possible there was a delay, but it's a whole other problem if it took this long to find a breach.
This sounds like it could be "flipboard-itis". Flipboard stored passwords insecurely in the beginning (SHA-1), but switched to bcrypt as it scaled. The passwords breached were before 2015, so possibly a similar thing here where they started out with bad security and improved with scale (but left the old stuff behind). I'm guessing Doordash did something similar and improved security as it scaled.
[+] [-] bin0|6 years ago|reply
[+] [-] tempsy|6 years ago|reply
[+] [-] rietta|6 years ago|reply
[+] [-] re|6 years ago|reply
https://www.troyhunt.com/we-take-security-seriously-otherwis...
> “We take security seriously”, otherwise known as “We didn’t take it seriously enough”
[+] [-] ohnope|6 years ago|reply
Someone should make a Tumblr for data breach marketing copy.
[+] [-] rhizome|6 years ago|reply
[+] [-] throwaway867295|6 years ago|reply
I used to work for a third-party service provider that merchants send this sort of data to for lots of users. Considering there weren't lots of customers using this provider making similar posts, and Doordash didn't call out the provider, it wouldn't surprise me if a Doordash employee account with that provider got compromised. The blog post was carefully worded to not throw the provider under the bus, but also avoid taking blame, themselves.
The telling bit is that the last four digits of credit card numbers were sent. There are only a few types of vendors you'd send that data to.
[+] [-] luhn|6 years ago|reply
[+] [-] Nextgrid|6 years ago|reply
Now if they could just completely die so a more ethical competitor can take its place it would be even better.
[+] [-] lovecg|6 years ago|reply
The honest thing to do would have been to raise the delivery fees across the board, but that doesn’t attract customers. The seemingly optional “tip” preys on the customer’s mistaken assumptions and was used as a sneaky way to achieve the same thing.
[+] [-] Jagat|6 years ago|reply
[+] [-] bdcravens|6 years ago|reply
If a more ethical competitor can't match or exceed these, they won't be a competitor for long.
[+] [-] SomaticPirate|6 years ago|reply
[+] [-] RHSeeger|6 years ago|reply
[+] [-] unknown|6 years ago|reply
[deleted]
[+] [-] techslave|6 years ago|reply
[+] [-] jenrzzz|6 years ago|reply
[+] [-] greenail|6 years ago|reply
I've been considering making it a product and I wonder in this case what people would want to do when the account data gets leaked?
1. blackhole all email to the address. 2. forward all email to some email service that is never/rarely used. 3. flag messages that are not sent from the matching domain (doordash.com in this case). 4. blackhole and generate a new address so the user can go back to door dash and provide a fresh email address.
I also wonder if there is any use for meta data on who's trying to email a blackholed email addrress e.g spam blacklisting.
[+] [-] SketchySeaBeast|6 years ago|reply
[+] [-] readhn|6 years ago|reply
1. Personal address, DOB - $15. 2. Each social security $20. 3. Driver license number $25. 4. Bank account numbers $30. etc.
So a loss of 4.9 million social security numbers, DOB and addresses would generate a fine of $171,500,000
Problem solved!
Now, the company will think 100x times BEFORE collecting consumer data if they can actually PROTECT IT. Build robust security FIRST!
[+] [-] hnruss|6 years ago|reply
[+] [-] munk-a|6 years ago|reply
[+] [-] tolstoshev|6 years ago|reply
[+] [-] dylan604|6 years ago|reply
[+] [-] newherehi|6 years ago|reply
[+] [-] abuehrle|6 years ago|reply
[+] [-] cavisne|6 years ago|reply
Removed payment methods from my account and reset the password, but now I assume this was done to all users?
[+] [-] frereubu|6 years ago|reply