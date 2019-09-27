HOUSTON — The food delivery service DoorDash announced Thursday that approximately 4.9 million consumers, drivers, and merchants were hacked on May 4, 2019.

In a blog post, DoorDash wrote the hacked information includes:

- Profile information including names, email addresses, delivery addresses, order history, phone numbers, as well as hashed, salted passwords — a form of rendering the actual password indecipherable to third parties.

- For some consumers, the last four digits of consumer payment cards. However, full credit card information such as full payment card numbers or a CVV was not accessed. The information accessed is not sufficient to make fraudulent charges on your payment card.

- For some Dashers and merchants, the last four digits of their bank account number. However, full bank account information was not accessed. The information accessed is not sufficient to make fraudulent withdrawals from your bank account.

- For approximately 100,000 Dashers, their driver’s license numbers were also accessed.

Rice University professor of cyber security Dan Wallach said there are more and better solutions to just changing your password after a breach like this.

”One of the things that any attacker tries to do is use a credential from one website to get into another website," said Prof. Wallach.

He suggests a different password for every website, but acknowledges the pain of that practice, so he suggests using a password manager. Some web browsers have them built in.

”They’re very strong passwords that no robot would be able to guess," said Wallach.

He also suggests two-factor authentication, particularly in hardware form, like a U2F drive.

”Even if I tell you my user name and password, without this, you’re not getting into my google account," said Wallach. ”These authentication systems add extra friction. It’s harder to log in. In return, I can sleep better at night knowing my Google account is less likely to be hacked.“

He also advises people to use credit cards instead of debit cards when online shopping, to allow the customer time to dispute the charge before the money is taken from his or her account.

DoorDash wrote that it has taken several steps to improve security, including “adding additional protective security layers around the data, improving security protocols that govern access to its systems,” and bringing in outside expertise to increase the company’s “ability to identify and repel threats.”

DoorDash is encouraging all users to change their passwords, even though they believe user passwords were not compromised.

It is unclear why it took DoorDash more than four months to detect the breach. Wallach said it is pretty common for some time to pass before companies notice the breach and alert its customers.

As for the drivers' license numbers, he said most of that information is already available through public records, and that hackers would need more info, such as a Social Security number, to open a credit card in that person's name.

As always, he suggests tracking your credit card statements as well.

