Facts and Commentary on the 2019 DoorDash Breach

Facts and Commentary on the 2019 DoorDash Breach

Once again, we face the reality of an enterprise data breach affecting millions. Yesterday, food delivery service DoorDash announced the breach of 4.9 million users. The affected users include customers, delivery workers, and merchants. 

According to a blog post by DoorDash, the breach occurred on May 4; it does not affect customers who joined after April 5, 2018. 

However, users who joined prior to that date suffered from significant data theft. The hackers stole names, emails, delivery addresses, order history, phone numbers, and salted and hashed passwords from customers. 

Although full payment card numbers and verification values remained secure, hackers did steal the last four digits of those cards. Meanwhile, those responsible also stole the last four digits of delivery workers’ and merchants’ bank accounts. Moreover, around 100,000 delivery workers had their driver’s license information stolen.   

Unfortunately, many questions remain unanswered in the wake of DoorDash breach; prominently, some ask why DoorDash representatives took months to announce the breach. Additionally, DoorDash spokesperson Mattie Magdovitz said the breach was due to “a third-party service provider” whom they did not specify.

Unfortunately, DoorDash suffered a cybersecurity incident previously. Almost a year prior, DoorDash customers complained of hacked accounts. Initially, DoorDash denied the breach at the time. 

What Experts Say About the DoorDash Breach

Of course, the DoorDash breach prompted a string of expert commentary from throughout the identity security world. Here are a few of our favorites! 


Ben Goodman is CISSP and SVP of global business and corporate development at ForgeRock.

“To maintain employee and user trust, and avoid legal consequences, applications and all other companies need to be more proactive in identifying and notifying customers of breaches, leaks or any other security vulnerabilities. Additionally, this breach could have been avoided if DoorDash leveraged modern and comprehensive identity access management (IAM) tools.” 

“IAM tools can provide organizations with ongoing, contextual security that prompts further identity verification, such as 2FA or MFA, when an unauthorized or unknown user attempt to access a database. With these in place, organizations ensure the safety of their data, employees, partners, and customers.”


Stephan Chenette is Co-Founder and CTO at AttackIQ.

“This incident is a good reminder that it’s not just customers who are impacted when a breach occurs. Given their service model, DoorDash must maintain the trust of workers and merchants in order to survive, and protecting their sensitive data is a big part of maintaining that trust.” 

“Organizations should continuously assess the viability of their security controls to make sure that they are enabled, configured correctly and operating effectively. Cybercriminals are continuously looking for gaps in security defenses and overlooked basic security misconfigurations, to turn a quick profit. It shouldn’t take a massive breach for companies to realize they need a more proactive approach to strengthen security.” 

How to Learn More

The DoorDash data breach indicates a clear violation of the principles of customer identity and access management (CIAM). To learn more about CIAM and IAM in general, you should check out our 2019 Identity Management Buyer’s Guide. We cover the top vendors and their key capabilities in detail. 

Ben Canner