In a blog post this week, food-delivery service DoorDash disclosed that 4.9 million customers, Dashers (delivery workers) and merchants had their information stolen by an unauthorized third party on May 4. Accessed data included names, emails and delivery addresses, order histories, phone numbers and hashed and salted passwords.
Although it is not believed that passwords were compromised, DoorDash encouraged all affected users to reset theirs to one that is unique to the service. According to 4iQ‘s “Password Security and Data Privacy Survey 2018,” only 20% of respondents stated that they used a completely different password for each of their accounts, which is alarming given this is widely considered a best practice for risk mitigation.
The news comes almost exactly a year after DoorDash customers complained that their accounts had been hacked. The company at the time denied a data breach and claimed attackers were running credential stuffing attacks, in which hackers take lists of stolen usernames and passwords and try them on other sites that use the same passwords. But many of the customers we spoke to said their passwords were unique to DoorDash, ruling out such an attack.