DoorDash hack sees customer details exposed

A DoorDash hack has been confirmed by the company, with full contact details of the customer exposed by the security breach: name, address and phone numbers.

Separately, LastPass has also confirmed an attack on its own systems, but says it doesn’t believe any user data was obtained…

DoorDash hack

DoorDash says a “sophisticated” phishing attack resulted in obtaining user data.

We recently learned that a third-party vendor was the target of a sophisticated phishing campaign and some personal information held by DoorDash was affected. […]

For consumers, the information viewed by the unauthorized party mainly included name, email address, shipping address and telephone number.

For a smaller group of consumers, basic order information and partial payment card information (i.e. card type and last four digits of card number) were also accessed .

For Dashers, the information viewed by the unauthorized party primarily included name and phone number or email address. The information affected for each data subject may vary.

The company says the attacker did not access full card details, bank account details, social security numbers, social insurance numbers or passwords.

The DoorDash hack involved using stolen vendor credentials to access DoorDash’s internal tools, which then allowed the attacker to gain access to customer data.

The company says it took four actions in response:

  • Notify law enforcement
  • Notify affected users and data protection regulators
  • Enhanced Security at DoorDash and Third-Party Vendor
  • Enlisted a cybersecurity company to help with the investigation

Further information can be found in the FAQ (scroll down).

LastPass Attack

beeping computer discovered an attack unrelated to password management company LastPass, which has since been confirmed by the company.

In this case, it appears the attackers were looking for the company’s source code and other proprietary information, not customer data.

Two weeks ago, we detected unusual activity in parts of the LastPass development environment. After launching an immediate investigation, we found no evidence that this incident involved access to customer data or encrypted password vaults.

We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of the source code and certain proprietary technical information from LastPass.

The company pointed out that there is no way for a hacker to obtain users’ master passwords, as LastPass never has access to them.

This incident did not compromise your master password. We never store or know your master password. We use an industry-standard Zero Knowledge architecture that ensures LastPass can never know or access our customers’ master password. You can read more about the technical implementation of Zero Knowledge here.

Zero Knowledge protocols mean you can prove to LastPass that you know your master password, without LastPass itself knowing what it is. An easy way to understand the underlying principle is the colorblind friend analogy:

A colorblind friend has two balls, one red, one green, that he can’t tell apart, but you can. To prove you can do it, they hold a ball in each hand, place them behind their backs, and swap balls between hands or not, randomly. They show the balls again and you say whether they traded them or not. Repeat as many times as needed to effectively eliminate guesswork.

At the end of the process, your friend still doesn’t know the colors of the balls, but has made sure that you know them.

Take standard cybersecurity precautions

As always, you should make sure to take standard cybersecurity precautions, including: strong, unique passwords for every website and app; disguised answers to security questions; using two-factor authentication; never click on links sent by e-mail to sensitive services such as banks, financial services and anything that requires your Apple ID. The use of a vpn service is recommended when using public Wi-Fi hotspots.

Photo: Lewis Kang’ethe Ngugi/Unsplash

FTC: We use revenue-generating automatic affiliate links. After.


Check out 9to5Mac on YouTube for more Apple news: