On September 24, 2024 it was reported of an alleged cyber attack against the food delivery service, DoorDash. The threat actor, 888, claims to have leaked the DoorDash data, which includes 1.5 million rows of data containing Timestamp UTC Time, Timestamp UTC Date, Timestamp Local Time, Timestamp Local Date, Payout Time, Payout Date, Store ID, Business ID, Store Name, and more.
In a series of cyber attacks targeting major organizations like DELL, the U.S. Department of Defense, the FBI, and the TSA, DoorDash has also reportedly been compromised. The alleged breach claims to expose sensitive records, though it’s unclear whether the claims are legitimate.
This isn’t the first time DoorDash has faced a security incident. In August 2022, the food delivery service disclosed a breach involving a third-party vendor that fell victim to a phishing attack. That incident impacted 367,000 users, leaking email addresses, names, postcodes, and partial payment card information. DoorDash responded by cutting off the vendor’s access to its systems and addressing privacy concerns raised by the breach.
As of now, DoorDash has not issued an official statement regarding this new alleged breach. However, based on past incidents, it’s likely that the company will notify affected users and release a public update if the claims are substantiated. This latest breach, if confirmed, appears to involve a larger scope, potentially exposing store and transaction data.
Details of the compromised data include order timestamps, store IDs, transaction details, payout information, and fees. Notably, the sample data does not include any Personally Identifiable Information (PII), focusing instead on order and store data.
According to the information provided, the compromised data includes:
Timestamps, payout information, Business ID, store name, merchant store ID, transaction information, order information, commission, marketing fees, Snap Ebt discount, payment information, transaction ID, driver charge, tax information, consumer tip, and more.
While the breach seems credible based on initial information, users will need to wait for an official statement from DoorDash. Until then, there’s little that can be done other than monitoring the situation and preparing for potential announcements from the company.