Hacker News new | past | comments | ask | show | jobs | submit login
DoorDash confirms data breach affected 4.9M customers, workers and merchants (techcrunch.com)
526 points by bonyt on Sept 26, 2019 | hide | past | favorite | 209 comments

> The information accessed is not sufficient to make fraudulent charges on your payment card.

In other words... "We leaked a bunch of your personal information, but at least it's not enough data to steal your money!"

All of these leaks have the cumulative effect of making ineffective very commonly used security verification questions: "Can I verify that last 4 of your social? And the last 4 of your credit card?"

How long will it take for us to accept that this kind of data can no longer be assumed private? The sooner, the better, mainly so companies stop using it as a secondary form of identity verification.

Surely the actual problem here is that the responsibility for reliable identification somehow falls on the consumer, not the bank or what have you?

I'll give an example: if I get a phishing email claiming to be from my bank, and end up wiring them $1000, I'm out $1000 for not having done the due diligence for verifying that it in fact was my bank; my bank doesn't suddenly owe me $1000. Somehow, though, if some 3rd party convinces the bank they're me, and withdraws $1000 from my account, I'm at fault as a victim of "identity fraud" (and am again out $1000, but this time as a result of my bank's incompetence).

If the onus for verifying your identity were on institutions (and, consequently, the losses in cases of failure to do so) I'm confident that we would have much more reliable means of personal identification magically pop into existence.

> Somehow, though, if some 3rd party convinces the bank they're me, and withdraws $1000 from my account, I'm at fault as a victim of "identity fraud" (and am again out $1000, but this time as a result of my bank's incompetence).

This isn't true, though. The bank is the one on the hook.. eventually. The problem, of course, is that you have to get the bank to agree that it wasn't you who made the withdraw..

While it sucks, I am struggling to figure out alternative solutions.

Let's suppose we did the opposite; if you tell the bank that it wasn't you, then they have to prove it was, and in the meantime they give you the money. Sounds great, but this makes fraud about as easy as you can get - open an account, deposit $50,000, then transfer it somewhere else and withdraw it to cash. Then, tell the first bank that it wasn't you that did it. Sure, they will be able to prove it was you eventually.... but according to our new rules, they have to return the money while they figure it out... you withdraw it all and flee.

There would be literally NOTHING the bank could do to prevent this sort of fraud. They could put a million checks in place, but since they would still need to 'prove' it was you when you claim it was fraudulent, and make you whole in the meantime, you could still steal the money during that time. You claim fraud, they put the money back into your account.. and then they show someone (who? an arbiter? the gov?) that they have video evidence of you making the withdraw. While the ruling is happening, you skip town with the money.

It really sucks, and I really can't think of a solution.

All of that argumentation is nice but it doesn’t hold any water.

Credit card companies are by law on the hook for any fraud committed with your credit card. Everything you just wrote applies to credit cards, and yet Visa and Mastercard are doing just fine. They aren’t going bankrupt just because you can file a chargeback whenever you want as a consumer.

There doesn’t seem to be any doubt Banks can handle this, because they already do.

Except they AREN'T on the hook for the fraud... the merchants are. They are doing fine because they pass on the costs to the merchants.

Also, when you dispute a charge, they are able to put the money in 'escrow', basically, while they investigate... since they control both sides of the transaction (both merchant and customer), they 'keep' the money while they resolve it. If they find in the card user's favor, they deduct it from the merchant account and credit it back to the card user. Otherwise, they release the hold and the merchant can withdraw the money.

It doesn't feel like your money is being held as a card holder, because the 'money' in this case is credit, and it doesn't effect your bank account while it is being resolved. However, it DOES count against your credit limit while they resolve the issue, so it shows you that the money is still 'frozen' while they resolve it. They aren't allowed to charge interest during the dispute, but if you lose the dispute you will have to pay the interest.

This is the same thing that happens when your bank account is defrauded.. the money is frozen, and you can't withdraw it until the dispute is resolved.

> Also, when you dispute a charge, they are able to put the money in 'escrow', basically, while they investigate... since they control both sides of the transaction (both merchant and customer), they 'keep' the money while they resolve it. If they find in the card user's favor, they deduct it from the merchant account and credit it back to the card user. Otherwise, they release the hold and the merchant can withdraw the money.

> It doesn't feel like your money is being held as a card holder, because the 'money' in this case is credit, and it doesn't effect your bank account while it is being resolved. However, it DOES count against your credit limit while they resolve the issue, so it shows you that the money is still 'frozen' while they resolve it. They aren't allowed to charge interest during the dispute, but if you lose the dispute you will have to pay the interest.

I knew roughly how this worked before, but it didn't occur to me until I read your explanation that this allows the credit card company or bank to invest the money while it's in escrow. So it actually benefits them when fraud happens on your account.

...of course that's a thing. The bankers always win.

Visa and Mastercard are card schemes. They are just moving the money between financial institutions. The issuer (which is the financial institution from where the credit card was applied from) is providing the credit line=they own the money. The scheme ensures that the other parties always gets their money, which is why their business is really dependent on good fraud detection algorithms. The payment schema will just freeze the settlements during the dispute, but if evidence is found that it was fraud, they will lose the money. This of course happens all the time, but it is just a pricing issue. Visa charges license fees from issuer and acquirer, and every transaction costs for the merchant around 0.5-5% depending on the card.

Had to check again, visa and Mastercard actually don't carry the risk in this scenario. It's either the acquirer or issuer. Scheme acts as a judge and decides who's fault it is. However, now that 3d secure is in place, if both issuer and acquirer support it, there are really few frauds. If they don't, the risk is on the one who did not enforce 3d secure.

I mean, they can't really 'invest it' since it was their money in the first place. They are loaning it to the credit card holder, who is giving it to the merchant. In this case they just don't loan it out until the case is resolved.

> I mean, they can't really 'invest it' since it was their money in the first place.

By extending someone a line of credit, they are investing some percentage of that line of credit as their money, because they have to have money on hand in case the person decides to use their credit card. They obviously don't have to keep the whole balance of every line of credit they extend on hand, because most people won't max out all their lines of credit. But they do have to keep some percentage. That money is invested, but only pays out money if the person uses their credit card and then rolls over a balance to accrue interest.

But let's say someone uses a credit card, and then someone disputes the charge (these are different people if the charge was fraudulent). The credit card company holds that money in escrow. While it's in escrow, they don't pay it to the merchant, so they still have it, and they don't count it toward their customer's credit limit, so it decreases the amount of money they have to keep on hand. However, they're still charging interest for it in the case that the charge is found to not be fraudulent. So their investment is paying off.

Now where this gets tricky, is now that money is invested, because they're charging interest for it, but they know they won't have to pay out that investment until the fraud investigation completes. So until then, they can invest it again! They always have to keep some money on hand in preparation for a fraud investigation to finish, but there is always some amount of money being tied up in escrow for ongoing fraud investigations, so they can invest that money twice.

The type of fraud you described (or at least a very close version of it) is already possible, and happens all the time. The way they manage this is that wire fraud is a federal crime, that will land you with a lot more prison time than you might think.

Wire fraud has no mandatory minimum and depending on the transaction value the sentencing guidelines are very light. The killer is ID theft which carries 24 month mandatory minimum with no ability to run concurrently with any other charge.

My point simply being that most of these types of fraud are rather easy to commit, but actually quite hard to get away with, and the consequences can be very severe. I’ve worked with quite a few US financial institutions, and a lot of their fraud investigations end up with arrest warrants.

Bitcoin and other digital cash systems that are bearer instruments would change this: if the 1st outgoing transaction is valid, one can't then defraud the bank of the same money. On the flip side, if a user falls for a phishing campaign and sends digital cash to a fraudulent 3rd party, that can't be reversed, either.

I think that this is extension of semantic play that such leaks lead to "identity theft". Even if you took due diligence to protect your credit card and SSN or other personal info after the fact you are being played as "victim of identity theft". No it is not identity theft that someone used yours info to take fast loan or buy bitcoin with your credict card that incompetent business lost and now you are SOL with ruined life/credit score - it is bank fraud and banks should stop making it look like it is not their problem/fault.

It even is stamped on CC that it is property of the issuing bank. So you made it such way that skimmer can copy your card at gas station and empty someones account in few minutes but you are not part of the problem at all? Then what is the point of of plastic other that milking fees?

Regarding your first point, there's a very relevant 2-minute sketch from the radio show 'That Mitchell & Webb Sound' that makes a similar argument: https://www.youtube.com/watch?v=CS9ptA3Ya9E

> and am again out $1000, but this time as a result of my bank's incompetence

> If the onus for verifying your identity were on institutions

Your two situations are really the same situation.

1. You give your money to another party, and then claim they committed fraud. You can't just instantly seize $1000 from them; you must prove that they committed fraud.

2. You give your money to another party to manage, and then claim they breached contract. You can't just instantly seize $1000 from them; you must prove they violated the contract.

In both cases, the legal onus is on the accuser to demonstrate criminal activity ("innocent until proven guilty"). Otherwise, you could walk around claiming people and banks owe you money and simply be presumed correct.

(Also, in both cases, it would be have been better for you to not to trust those particular parties.)

Not sure about US, but this definitely does not apply in the EU. The banks are responsible. Also, the PSD2, which just came into effect here sets standards on person identification, which every financial institution needs to comply.

Of course, this does not mean that being a victim of identity theft does not suck.

The stolen information has some other severe side effects, which are not directly personal. The stolen credit card information and the drivers licenses are typically used for things like human trafficing. You buy some airline tickets with fake passport and stolen credit card, and travel as someone else.

It already is. If you wake up one morning, and somebody else has been withdrawing money from your account, or charging your credit card, the bank already is liable for that, and will reimburse you. The losses from fraud are already written into their margins, the same way the losses from shoplifting are written into a retailers margins.

>reliable identification somehow falls on the consumer, not the bank or what have you?

No, it falls on the bank or what have you. If the bank or what have you gets defrauded they lose the money.

As an unfortunate side effect the fraud might affect a consumers credit, but not due to any kind of responsibility for the fraud.

The problem with what you're proposing is that, as far as I understand, the real "consequences" for things like identity theft end up being intangibles like "time" and "annoyance" or "credit score". I don't think you'll actually be out $1000, the bank will just reverse it or it will be covered under some sort of insurance or something. Many times its just people taking out fraudulent loans under your name (vs. directly stealing money from you), so it gets handled entirely "digitally" and you experience no long term financial harm. Because of that, no one ends up "angry" at the bank, since what they lost was a week in "hassle".

Except that it can take months or years for the affected individual to clear up their credit record. And they may still end up on the hook for some of that debt. There is a direct and immediate impact on the individual in terms of debt against them and whatever credit reporting occurs on that debt. There is more distant impact on the lenders to eventually eat the losses - which in aggregate are in fact quite large - but no real impact to the lender’s reputation.

It's worth distinguishing between the lenders and the credit bureaus. The latter cause much of the pain around identity theft afaik.

>Except that it can take months or years for the affected individual to clear up their credit record

In what scenario could this take years? Honestly anything beyond a month sounds pretty unlikely unless your identity was abused for an extended period (as in by a family member or such), and even then I don't see how.

As far as I understand the process for getting fraudulent accounts removed from credit reports typically takes less than a week.


I had a fraudulent charge on my bank account via a “demand draft” (essentially a check without my signature). Yes, I had to spend significant time resolving the issue: going to the bank, having them insist they needed to close my account and reopen a new one, plus changing all my ACH drafts. But, I was very angry with the bank, because their proposed solution caused me hassle and doesn’t protect me from whatever attack vector compromised my account. They would not let me have them refuse to honor such instruments without prior authorization, either.

And, this was over a $40 charge. Had it been $4000, I wouldn’t have been any less angry with them for failing to protect me.

I think there might have been some sort of misunderstanding in my post. I’m explaining a phenomenon I see: people aren’t generally angry with their bank over identity fraud, and that makes holding them accountable difficult. I don’t disagree they share much of the blame, just trying to point out how non-HN people see things. While you may very well be pissed with your bank, I think the general response to your story is “relief” at getting the money back and “anger” at the criminal. Again, I am not implying this is who they should be angry at, just who I see them get angry at. So, step one is convincing others to have the same response as you if the goal is to hold them responsible.

'Reverse it' often isn't exactly that simple, or even an option, depending on the method of transfer.

Hell, imagine how many scans of people’s passports and driver’s licenses are sitting in databases waiting to be leaked, yet images of those documents let you authenticate with all sorts of financial institutions online from banks to Coinbase to Paypal.

We really need to rethink all this. Until then, it feels like mere luck that today wasn’t the day someone decided to social engineer their way into your life.

Everything is so precarious.

If militaries have any imagination, they already have this data for their adversaries' populations and have cyber weapons ready to do this quickly at massive scale.

I'd assumed that was the motivation for the OPM hack. Helps root out agents and handlers since they have SF-86 forms and biometrics, but also a massive database for identity fraud. Also helps with money laundering, which even richer states can benefit from.

Editor's clarification: United States Office of Personnel Management(OPM)

Their first targets would be things like power plants, tv stations, and central network nodes. Sowing chaos is useful, sorta, but that means things are still usable -- and the OpFor can potentially hit back. Better off just silencing the wires altogether; hit the power plants, tv and radio stations, major telephone & data centers, undersea cables, etc.

If I had $40B to budget on cyber warfare I'm finding out how to hack nuclear plants or cause hydroelectric dam overloads, not tinker with the Amazon accounts of the flyover states.

I've worked for companies who were more careless with even more private data required by law to be encrypted but wasn't .

Always comes down to "we don't have enough time". Then when it leaks we have all the time in the world.

I think we need a hierarchy of identity verification.

At the top, we'd have in-person verification using physical documents, such as passport, driver's license, birth certificate, and similar. A good candidate to handle this level is banks and credit unions, at their branch offices.

To handle people who can't come in in-person to set up their account at a top level verification service, there could be top level providers that send a notary to you to check your documents.

Online access to top level accounts should require 2FA. Account recovery in the case of lost passwords or lost second factor or lost recovery codes would require another in-person verification.

Next down in the hierarchy would be services like email providers. When you set up your account with them, you should be able to associate it with one of your accounts at a top level provider, and there should be a way for the email provider to verify with the top level provider and with you that you really are the owner of that top level account.

Account recovery for these accounts requires re-verifying with the associated top level provider.

Below that are services that use your email address as your identity. They verify you the usual way--sending an email and requiring you to prove that you received it. Account recovery requires the same kind of verification.

The idea is that everything is ultimately rooted with your top level providers. If you can protect those accounts, then everything below has protection. Someone might still temporarily hijack your Twitter account or even your email account, if you aren't using strong 2FA and your password leaks, but you can do an account recovery using the account that is above it in the identity hierarchy.

For banks that serve as top level verification services, this should be separate from online banking accounts. People need to routinely log into online banking, but should only very rarely need to use their verification account. The verification account generally only needs to be used when creating a new account one step down the hierarchy, such as a new primary email account or a new account at a domain registrar, or when recovering a lost or hijacked email or domain account.

It should thus be feasible to not store your top level password online at all. It can be on a printed document kept where you store other important documents, such as in your fire proof safe with your passport and birth certificate.

On another topic--sites really should clearly document how things like account recovery works. If a site that requires 2FA for login allows configuring whether that is via SMS, TOTP, or U2F...but then it turns out that you can always do account recovery via SMS even if you disabled that as a 2FA method for login, I want to know that up front, so that I know that switching to TOTP or U2F doesn't actually protect me against account theft. At many sites, the only way to actually find out how account recovery works is to go through it, and that is annoying.

People don't really use them to hack existing accounts so much.

They use them to create new accounts to move money that way.

Yeah. In fact reversing a fraudulent credit card charge is a LOT easier than dealing with identity theft or stalkers.

Alternative, when do we start using proxy services that give minimal, fake information that forwards to our real identity? Apple sign-in was an understated release, but it will be one of the company's flagship products in years to come.

The cynic in me thinks they leaked names, addresses, and credit card numbers but not the CVV number. Without the CVV it's not technically possible to make charges, so it would not be a lie.

I think it's been clear since Equifax that private data can't be used to prove identity. I honestly wish the hacker behind that attack just gave away the entire dataset to the public. It would have stung a little at first, but it would have saved society a ton of time and money on the long run.

> Without the CVV it's not technically possible to make charges, so it would not be a lie.

You can process charges without the cvv, but it costs your more to process them and is supposed to lower the risk.

Some big players like Amazon still process payments without the need of providing a cvv.

At least with a drivers license it should be pretty easy to commit identity theft and sign up for credit cards/open bank accounts with that person’s identity.

"It's only 200 of Cambridge Analytica's 5000 data points about you."

But now they have a dump of how many peoples names, address and phone numbers?

Leaking is only part of the problem. The main issue is that this information lets you authenticate with anything at all or as a starting point for social engineering.

For example, you could build your own database of millions of records of name/phone/addr just looking up WHOIS info on every domain name you come across.

And I'm reminded of how you can get into someone's Amazon account by feeding WHOIS information to their customer support, even if the address is bogus but is in the same city that Amazon has on file. https://medium.com/@espringe/amazon-s-customer-service-backd...

HN takes out its pitch forks for every leak, but the outrage is often misdirected.

For example, why do we have this idiotic system where you can make purchases on my credit card with the same credentials I hand out multiple times a day, even for a $5 hotdog, and as a result I need to remain eternally vigilant to find fraud on my monthly statements? Why can you get into my Amazon account if you know a single address that approximates one of the addresses I've ever shipped product to?

Leaking is inevitable. The problem is that our system and thus our expectations are built as if it's not.

Cash really is underrated.

What websites are storing your mother’s maiden name?

Besides maybe the bank

Anyone that asks a security question, eBay for one.

Only if you provided that information as answer. kwPP2ET6cJMFXVD7BXKJ is an acceptable answer to the maiden name question.

I like swear words. It's fun to tell online personnel your first high school is "Eat A Dick, Son".

High graduation rates at EADS HS, for the record.

Oh yeah I have some memorable made up names I put in those. Never thought to use my real one.


If they get hacked... well, say goodbye to maiden name as a verification!

Unless you have a domain with GoDaddy, of course...

Can you expand on that? Not really sure what you're referencing?

GoDaddy let someone unlock the account by knowing the last 4 numbers of their CC and allowed the hacker to just guess the other two (you need to know 6)

I'd like to point out, it's not "DoorDash" that has done anything wrong, it's these people:

- Andy Fang

- Evan Moore

- Stanley Tang

- Tony Xu

They decided our security and privacy wasn't worth as much as hur hur hur growth hacking startup hur hur next uber, and couldn't be arsed to even give us a proper apology.

Look at their blog post: not one mention of the words "we sorry, we fucked up".

It's all about the other guys.

The bad guys.

The guys who stole your data not us, and you should change your password with us to protect your account with us.

No. That's wrong. Look at the 295 million people who weren't affected -- all the people who don't use doordash at all!

That means the best way to protect yourself is to simply not use doordash. Delete it. Delete the email account and the bank/credit card you used with them (ask your bank/credit card company for a new number). Move if you've got to (drivers license details!?!?!?) You have no other protection now- you're fucked. They have your data, and they're only going to risk it again.

And remember how difficult it is to get in control of your data again when the next breach happens, the next time you're thinking about signing up with something, or you're getting ready to vote.

The founders are very busy devising wage theft schemes. How can they possibly spend time on security or apologies?

> devising wage theft schemes


There was recently a controversy over how Doordash implemented its tipping policy. Drivers get paid a wage to deliver food to you, and you would expect that if you specify a tip through the application, that tip goes to the driver and their compensation is increased by N, where N is the amount of the tip you specified.

It turned out that until recently, that was not the case; drivers would get a wage to deliver food to you, and if you specified a tip through the application, then the driver would have money deducted from their wage equal to the amount of the tip up until tips made up one hundred percent of their wages, at which point tips would increase their take-home.

So in effect, Doordash was using tips to subsidize worker pay as opposed to augmenting worker pay, and this was in no way communicated to customers who reasonably expected that a tip would increase the worker's compensation.


That is extremely misleading. Another reason to tip in cash, I suppose :/

Instacart and DoorDash used to deduct tips from the money paid to drivers so drivers make the same regardless of whether they receive tips or not. Instacart changed their policy in February 2019 while DoorDash changed it in the last month. Other delivery services like UberEats, Postmates, and Grubhub did not engage in this practice.

Basically if you "tip" a driver through DoorDash, the tip doesn't really end up going to them.


DoorDash implemented that scheme to give more consistent payments to workers, as tips are quite variable. Anyway, if it helps, DoorDash is currently moving away from that model. [0]

[0] https://www.theverge.com/2019/8/22/20828742/doordash-tipping...

> as tips are quite variable

That's kind of the point. And par for the course in any tipped job.

If DoorDash had actually wanted to make it consistent, they would've just removed tipping, like everyone else does that wants to do that.

What they did was shady as hell, and they know it which is why they are changing it.


* There is the common, legally mandated practice for employees where minimum wage is paid instead of tips, until base pay plus tips meets that. You could make the argument that DoorDash base pay is simply $0.

But (A) base pay of $0 is never done (B) base plus tips don't typical fall below minimum wage (C) this doesn't really apply anyway since DoorDash doesn't pay wages; it pays contractor fees.

I agree there should be real people (founders, c-levels, engineering managers, etc) taking responsibility for things like this. Another place to look at is the insurance companies who sell cyber liability policies to basically all (even small) tech companies. Those policies provide near full coverage for the most expensive parts of breaches like these (including a set dollar value, often $100-200k in policies I've seen, to hire a PR firm to recover from the media fallout). These policies are often surprisingly cheap (you can get very good coverage for $10k / year)

Edit: A common complaint with these type of announcements is the lack of owning the mistake. Just wanted to point out that this is almost certainly a result of the company contact their insurance carrier about the incident, and the insurance carrier instructing the company how to respond to the event (in order to remain eligible for benefits under the policy). It’s not a great excuse, but there is a reason that’s slightly outside the control of management.

Really interesting. Do you know who the biggest insurers are?

A couple examples: Beazley, The Hartford. There are lots. Most companies have an insurance broker who goes out to the various insurance companies and brings the quotes/options to the companies to choose from. https://foundershield.com/ is one example of a broker for small/medium size companies.

Could not agree more. There's a tendency to not blame founders... but why? They created the product from the ground up. They had a choice on how to build security and chose the easy way out. They should be held to a higher standard given the power dynamics they have over the company and its users.

I would subscribe to a blog you write about the people (with names, photos) behind every single business fuckup, especially if it is a decision made because of greed.

For frustrated folks like myself who are also lazy like myself:

How to deactivate: https://help.doordash.com/consumers/s/article/How-to-deactiv...

Where to deactivate: https://help.doordash.com/consumers/s/contactsupport?languag...

*for what its worth, deactivation and deletion are mostly semantics if the point is to send a message to a company that their mismanagement erodes trust with users. "churn" is a metric that very much matters to executives and "deactivation" impacts that.

I'm very uncomfortable with this level of personal shaming. There's a reason most serious tech companies have adopted a "blameless post-mortem" culture. When you individually vilify people for mistakes, you create a culture of fear and kill initiative and risk-taking. Maybe you think everything worthwhile has already been invented, but I don't.

Is there something about this story that makes you think it's an issue of negligence rather than a capable intruder? We keep getting told that total security is impossible. Isn't this inevitable? Is it just that they waited too long to disclose it?

Security is a cost/benefit decision, not a binary one. More security costs more. Putting the drivers licenses and bank details of employees in the same database as the credit cards and names of customers is cheaper than putting them on separate databases. Putting them on the Internet is cheaper than having a separate network. Turning off your logs "when you don't need them" is cheaper than leaving them on all the time.

If anyone says "total security is impossible" you just say: So fucking what? That's not an excuse for spending as little on security as possible, and you know someone isn't serious about security if they avoid admitting they are responsible for the security in the first place.

(clarifying since I've gotten one downvote as of now): Of course we should all be mad about the general state of computer security. I'm just trying to figure out if I really should be avoiding DoorDash in particular or is this just a straw breaking a camel's back?

sorry, who are these people you've just graciously named??

The founders (and current CEO and CTO) of DoorDash.

thx, I just wasn't sure exactly who it was

At this point HN should just have a permanent module in the top right corner announcing the latest data breach.

"Days since last publicly disclosed data breach breach: 0"

Honestly? A minutes scale might be more appropriate there. Unless we add the "Major" but then, what is major?

Nah, a minutes scale would require data entry frequently, and HN's volunteer moderators probably don't want to have to click "Reset breach counter" all the time, plus you'd need to write code for both that button and the minute counter.

Let's keep HN Javascript-light: "Days Since" is much easier to implement. Just one line of static HTML will do:

    <b>Days Since Last Breach: 0</b>

The UK ICO has an upper limit of 10 accounts leaked, above that they consider it to be a major breach.

I can't find a reference but when I first learned about this I was actually surprised the number was that low. That was before I realized that working with computers and databases for so long has totally desensitized me to the fact that we are dealing with stupendous amounts of data on a daily basis and that what we IT people see as 'small' is likely not what entities such as the ICO or other DPAs see as small.

Show a histogram. Logarithmic scale, number of accounts affected.

A rounding error.

Breaking news: There is someone who has been walkabout living in the woods since 2000, and nobody has his data!

I know you're joking, but I have a relative like this.

Owns a huge swath of land someplace remote. Only deals in cash. (His special skills are such that his employer gladly pays him in cash.) Doesn't trust cars with electronics, so he builds his own motorcycles to get around. As far as I know, the only record of him existing is property tax and income tax.

I went to visit once, and he doesn't even have a mailbox. I assume he has a PO Box somewhere. He built his own house. It's not a very good house, but it's good enough for him and his wife. The only electronics he has is a TV that runs off of some kind of tiny water mill in the creek. It only gets over-the-air channels.

I guess he's happy, but it's not the kind of happiness I could bear. He also seems to have lost all interest in shaving.

Equifax has his data probably lol

Imagine being afraid of car electronics and choosing a motorcycle as your safe method of transport.

I asked my wife about it, and she remembers him saying something about in his state that if a vehicle is a certain percent cobbled together, it doesn't have to be registered. I wonder if that's his motivation.

Ya, some pre-2010 car should be perfect.

Maybe we’re dealing with the same guy. Lives out in the woods. He only corresponds by fax. Checks are sent to a PO Box. Machinist who creates custom metal work.

It's far too common now and there doesn't seem to be any meaningful consequences for the websites/companies involved.

IMO think this is the core of the issue.

As long as there are no serious consequences for leaking user's data these things are going to continue to happen.

But if you suggest large fines for data breaches, suddenly HN resounds with a chorus of "regulatory capture!"

Large fines can—and probably should—be relative.

Edit: I’m not sure I’ve ever heard anyone suggest “regulatory capture” as a reason to not levy fines against companies who held breached data. HN discussions on this topic seem to trade in the same repeated points—“identity theft” is bank failure/fraud masquerading as the customer’s problem; there should be consequences and/or fines for the party who held the data; the frequency of breaches should make us rethink how private PII really is; etc.

The official blog post doesn't give any information about the breach except "We noticed a third-party had unauthorized access to DoorDash data", and the TechCrunch article says that DoorDash responded that they couldn't explain how the breach happened. How are they so sure that they fixed the underlying cause if they don't even know how the third-party got access in the first place?

"couldn't explain" = Were too embarrassed to explain... or could expose themselves to several lawsuits by revealing.

It seems like the breach was through a third party that only had old data, since nobody that registered after April 5, 2018 is affected.

So it's probably some service that they no longer use and doesn't really need to be fixed or investigated, since all the data they had has already been taken and they (probably) stopped giving them more data a year and a half ago.

They should really say who the third party was though. Hopefully that information comes out.

A year ago customers were complaning that their accounts were accounted despite using an unique password to DoorDash. DoorDash at that time denied any hacking incidents.

A more sinister explanation is that DoorDash knew back then who is leaking their data and removed their access. But chose to disclose only just now.

There is a silver lining in all these data breaches. At some point in time all our data will have been leaked at least once and probably more than once and subsequent leaks will not do any more damage.

The safe assumption would then be to not trust any accounts created online without some good old KYC processes in place requiring live verification of identity.

But we generate new data that's worth stealing every day

A government created physical token for every person could be the direction we are headed

Alternatively, we might be headed for sane data breach and privacy laws. Something like... if you want to store personal data then pay for an external audit or have your domain confiscated - done.

Exactly this. If companies actually had to face serious penalties for every breach, the frequency of them happening would plummet.

Ever since the enacting of the GDPR I've seen a substantial uptick in the number of companies that take their data liabilities serious.

Not doordash, apparently. Their CS agents and supervisors were completely unaware of GDPR and unable (or unwilling) to delete accounts.

Doordash is headquartered in San Francisco, that might have something to do with it. Do they even operate in Europe?

I've had that thought, but then someone steals your token…

Maybe it could be surgically implanted to deter theft

And in the minds of many, the fulfillment of ancient prophecy in that "it causes all, both small and great, both rich and poor, both free and slave,e to be marked on the right hand or the forehead, 17so that no one can buy or sell unless he has the mark, that is, the name of the beast or the number of its name" (Revelation 13:16-17, ESV)

I'd prefer "Give me your wallet" to "Give me your arm" any day of the week.

The good ol' biblical mark of the beast

Totally agree! As a bit of self-promotion, my company (Berbix) is trying to solve this by automating ID checks and being the best possible stewards of this sensitive data: http://berbix.com

We've gone to great lengths to secure ID and DL information and have even built a watermarking service to track all access to these images: https://docs.berbix.com/docs/transactions#section-watermarki...

Original blog post: https://blog.doordash.com/important-security-notice-about-yo...

From the techcrunch article: "It’s not clear why it took almost five months for DoorDash to publicly reveal the breach. DoorDash spokesperson Mattie Magdovitz say why [sic]."

Pretty bad. If personal identity info is exposed, it is irresponsible not to notify users immediately so they can freeze credit and watch for suspicious activity. The blog post did mention a third-party vendor, so it's possible there was a delay, but it's a whole other problem if it took this long to find a breach.

This sounds like it could be "flipboard-itis". Flipboard stored passwords insecurely in the beginning (SHA-1), but switched to bcrypt as it scaled. The passwords breached were before 2015, so possibly a similar thing here where they started out with bad security and improved with scale (but left the old stuff behind). I'm guessing Doordash did something similar and improved security as it scaled.

They really should have given some actual information, i.e. how the information was stored. I want to know what algorithm was used, not how "it was securely stored so people still can't take your money" or some other corporate-speak intended to mitigate the damage.

Huh? The blog post says April 5, 2018.

I'm not sure what you're trying to point out, but it seems like the data was stolen from a third party DoorDash uses, and that they only had data from users that registered on or before April 5, 2018. The breach actually happened on May 4, 2019.

(And the 2015 reference in the comment you're replying to is about a Flipboard breach, not DoorDash)

Well, back in 2018, TechCrunch reported that they were compromised. I believe this is the same breach as then. They just reported it one year later.


The classic trite "We take the security of our community very seriously." Nearly every corporate communication about a breach says it and often it comes out to have been demonstrably untrue.

Here's a four-year-old collection:


> “We take security seriously”, otherwise known as “We didn’t take it seriously enough”

It's like the data breach version of "It's been an incredible journey!" after getting acquired.

Someone should make a Tumblr for data breach marketing copy.

A sibling site of Our Incredible Journey could be SRS BSNS, with statements by companies to that effect.

(Throwaway account)

I used to work for a third-party service provider that merchants send this sort of data to for lots of users. Considering there weren't lots of customers using this provider making similar posts, and Doordash didn't call out the provider, it wouldn't surprise me if a Doordash employee account with that provider got compromised. The blog post was carefully worded to not throw the provider under the bus, but also avoid taking blame, themselves.

The telling bit is that the last four digits of credit card numbers were sent. There are only a few types of vendors you'd send that data to.

I cant figure out what "third party provider" you send passwords to though?

Yeah. My guess is 3rd Party provider is AWS S3 and a DB backup was accessed.

I feel bad for the people affected but at least the scummy company got what it deserved for stealing tips (for those unaware, they used to withhold the total tips out of a delivery drivers base compensation so essentially taking the tips for themselves).

Now if they could just completely die so a more ethical competitor can take its place it would be even better.

The part where they didn’t tell the customers they were doing this is definitely scummy. The pure economics of it is more complicated—DoorDash was redistributing the “tips” to effectively guarantee higher minimum payment per order (a lot of customers don’t tip at all as the social expectations with the delivery apps are not as well established), and after they’ve changed the policy a number of dashers see their overall pay has decreased through no fault of their own (there can be many factors that are correlated with giving more 0 tips in a given area/route that have nothing to do with the driver).

The honest thing to do would have been to raise the delivery fees across the board, but that doesn’t attract customers. The seemingly optional “tip” preys on the customer’s mistaken assumptions and was used as a sneaky way to achieve the same thing.

What would be best is for everyone to not ask or expect tips, instead of utilizing this social pressure system to display deflated prices.

Food delivery customers care about very few things: 1) cost 2) food quality 3) delivery time

If a more ethical competitor can't match or exceed these, they won't be a competitor for long.

Yeah the Equifax breach was the nail in the coffin for them... Data breaches rarely hurt companies it seems.

Equifax's story is different, people don't have a choice whether to use them (if people did they'd already be out of business) and they have a near-monopoly, not to mention they are profitable so they are here to stay.

Doordash? They're just a shitty startup trying to "disrupt" the market by forgetting laws and morals and are only surviving thanks to VC money. People are not obliged to use them, and since they're essentially providing a commodity people can easily choose to use a competitor, only accelerating Doordash's inevitable demise. People aren't always reasonable, and such incidents can sway them towards other competitors (even though I doubt the competitors are any better in terms of security).

> Doordash's inevitable demise

Perhaps it's different elsewhere, but out of the services I use here in Houston, Doordash is consistently the best experience. Obviously if one of those competitors can best them in categories that matter (cost, speed, and accuracy) I'll switch.

> Obviously if one of those competitors can best them in categories that matter (cost, speed, and accuracy) I'll switch.

It's just a matter of time anyway, the VC money will dry up, they will either go down the drain right away or raise prices, which if nothing else will open the doors for another VC-fuelled competitor to overtake the market by subsidising deliveries for the next few years.

True of most startups that aren't turning a profit.

However, it doesn't seem that Doordash is struggling that much, and is outpacing it's competitors in growth rate


Anecdotally they've been the worst. Since you're adding a delivery middle man to the process instead of having a restaurant deliver straight to you, the food is usually later and colder. I think the only reason to use them is if you're craving something that is farther away or doesn't deliver, like fast food. But then you're paying a premium for colder/crappier food.

What product or service do you believe that Equifax is near being a monopoly provider for?

Credit reference agency? Okay there are 3 of those, but given that pretty much every single financial institution both queries and reports to all 3 they all have a monopoly and neither is going away.

They did no such thing, and I find it frustrating that people keep repeating this falsehood. Doordash promised to pay drives at least $X (where X was, I believe $1 or something like that) AND that the driver will make at least $Y from the delivery. The driver always gets the tip, plus a variable amount from DD. This is _exactly_ how it works for wait staff in restaurants in most states, except that is by hour instead of delivery. For example, in MA, the restaurant pays out a minimum of $3.75 (wait staff minimum wage in MA) and guarantees that the wait-person makes $11 (actual minimum wage). See https://www.dol.gov/whd/state/tipped.htm

Did they make that clear to the end customer that this is what's happening with the tips? I don't care what their contract with the delivery driver states, if they allow me to add a tip I expect that tip to go in the driver's pocket in addition to whatever they'd get paid without the tip, just like if I was giving them cash directly. If that's not what's happening they have essentially defrauded me and I wouldn't be too happy about that.

The fact that it works just like waitstaff in restaurants (which is the first tipped job that comes to mind for the vast majority of people) makes it seem reasonable to me. Either way, though, they didn't do as the OP said they did

> they used to withhold the total tips out of a delivery drivers base compensation so essentially taking the tips for themselves

The driver's base pay was something like $1 or $2. They did not take tips out of that.

When was the last time a restaurant disclosed this arrangement to you?

Restaurants are bound by labor laws that require minimum wages to be paid to employees. As far as I know, Doordash drivers are not employees but are independent contractors which means they aren't required to be paid minimum wage under the Fair Labor Standards Act. Since they aren't required to be paid minimum wage this situation is completely different than at a restaurant

> This is _exactly_ how it works for wait staff in restaurants in most states, except that is by hour instead of delivery. For example, in MA, the restaurant pays out a minimum of $3.75 (wait staff minimum wage in MA) and guarantees that the wait-person makes $11 (actual minimum wage).

This is deceptive.

The big difference is that Doordash's calculation is redone for every order delivered. With wait staff past minimum wage the tip you give them doesn't in any way reduce the amount of money the business pays them. The business pays them the same amount if they make $1/hour above minimum wage or $20/hour above minimum wage.

With Doordash on the other hand, the tip you give _always_ reduces the amount Doordash pays. You are essentially subsidizing Doordash's payment of the driver.

This is deceptive because most people expect that when they leave a tip that the amount of the tip they leave will directly increase the income of the person they're tipping. In reality, a Doordash driver is very unlikely to make additional money because of your tip unless you tip a large amount. To top this off Doordash advertised tips as "100% goes to the driver", which is extremely scummy because it obviously is intended to trick people into this belief.

That just means that restaurants are stealing tips, too.

got what they deserved? this won’t affect their business in the slightest.

DoorDash is the worst. They inexplicably banned me from their platform after giving me a credit for a bad order. I filed several support tickets over several months and kept getting canned responses about how they were "looking into the issue." Eventually I just switched to Uber Eats.

I've been vending myself unique email addresses for every online account I use for about 3 years. They are nice because I can reply to them like a regular mail and my actual email account gets stripped out automagically.

I've been considering making it a product and I wonder in this case what people would want to do when the account data gets leaked?

1. blackhole all email to the address. 2. forward all email to some email service that is never/rarely used. 3. flag messages that are not sent from the matching domain (doordash.com in this case). 4. blackhole and generate a new address so the user can go back to door dash and provide a fresh email address.

I also wonder if there is any use for meta data on who's trying to email a blackholed email addrress e.g spam blacklisting.

You can do something similar with fastmail. Get a domain for your email and make an alias address of the form [anything]@[alias].domain.com . You can then make 'sending identities' for an instance of that catchall domain for the rare time you need to send email as mortgage_company@a.domain.com . You can also create rules to blackhole a specific alias email or whatever you want when you need to invalidate the email.

Fastmail also have tons of alternative domains like nospammail.net so you can make your registering emails in a domain that is separate from you email address.

So your address is me@fastmail.com but you could use adresses like mortgage_company@alias.nospammail.net...

So how would you handle this breach with your fastmail alias?

If I start noticing annoying spam being sent to doordash@a.domain.com then I make an email rule to delete it and change my doordash account email to doordash_again@a.domain.com along with a password change with my password manager?

It'd be nice if there was a way to way that pile of emails at some authority and say "Here, this is the crap that's come of that data breach." Ditto for any authorized (but shady) third party data sharing.

Sadly we currently lack a consumer protection bureau.

This is the part the is really missing.

I use user.site@mydomain.com whenever I sign up at random sites. Last night I got a bunch of spams at the just-eat [1] account (food delivery, operating in 13 countries so not a small operation).

Now I know they've been breached, but:

1. They haven't reported it anywhere.

2. I don't know of any meaningful action I can take.

[1] https://en.wikipedia.org/wiki/Just_Eat

They're headquartered in the UK, so I'd start with making a complaint via the Information Comissioner's Office: https://ico.org.uk/make-a-complaint/. The best option is probably "Your personal information concerns":

> If ... you’re concerned about how an organisation has handled your information – if the information is wrong, they have lost it or disclosed it to someone else – tell us.

You could submit evidence of the breach to security researcher Troy Hunt at HaveIBeenPwned (https://haveibeenpwned.com/FAQs#SubmitBreach). He maintains a database of data breaches and people can sign up to be notified if their info appears in a new breach.

That would be an interesting project, create the breach-via-spam sensor network via accounts.

It also might not be a breach, but could of been sold via some sort marketing 'partnership'.

Some email services let you receive to a wildcard, so anything on your domain.

Also I believe Blur already does this (the company name may have changed but I forget)

I still worry about DoorDashes security - someone has signed up for services with my email account - not an issue, I just will never verify them. But they had signed up for DoorDash, and I didn't realize it, and then I tried to sign up for the first time via the Android App with that same email account. I selected the email account to my surprise it immediately let me into the other persons account! They had ostensibly set up a password, but I didn't need it and could see their phone number and bits of their payment information. I sent in a support email for that one, and got the account closed, but still, not a great sign.

I don't understand, it just never prompted you for a password?

Nope. I was using the built in Android Account linking (like if you link up your Facebook account to an application OAuth style), but the person who set up the account couldn't have been - they would have set it up with a password as they can't access my email account.

Of note here, I never verified the account when the user first signed up, so DoorDash has always just been going on the first guy's word that they are who they say they are.

If you control the email address on the account you could get in by resetting the password, so I'm not sure what the difference is there

To me the difference is the intent - I didn't intend on entering someone else's account. If I'd tried to log in with a password/email, it would have told me the account already exists, or prompted me to reset the password, and then I'd need to request that and knowingly invade the account. This way I just walked right in without even knowing what I was doing - I didn't realize there was even a problem until I went "hey, that's not my phone number!".

I don’t see the issue? DoorDash authenticated that you own the email account via a trusted third party. Once authenticated they authorized you to use the account associated with that email address.

It’d be like someone else booking a hotel room as you. When you show up at the front desk they verify it’s you and then let you into that room because it is after all... yours.

Actually, it's more like someone else booked a hotel room as OP. Since they were there in person, the hotel gave them the room key, and they are in that room taking a shower (updated the phone number in this case). The OP goes in and asks for a room, presents his/her email, and since it matched receives the key to the _same room_. OP then walks into the other guy's room while they are in it. At least that's my understanding of it.

edit: grammar

maybe if you said you lost your key, but if you come in and ask to check-in, the clerk isn't just going to hand you a new key. they're going to say, but mr. soandso, you're already checked-in.

I suppose so. I guess we assume that email ownership is digital ownership - even though they never verified that the user in fact owned the email? I wonder how that legally works - was I in the wrong for unwittingly accessing someone else's information?

Yeah this is why you do email verification. But you gotta move fast and break things ¯\_(ツ)_/¯

Or whatever the hip phrase is now that FB is radioactive.

Lots of services out there let you log in using both password or an external provider (Google, Facebook etc.)

I guess I've never experienced a service where it lets you log in with either option on the same account. At least it should have you verify the email account before assuming that the information is valid.

I propose a way to improve cybersecurity: FINE companies who loose sensitive customer data to hackers. Fines can be calculated according to the "breach severity grid" which is based on the type of data that is lost. For example:

1. Personal address, DOB - $15. 2. Each social security $20. 3. Driver license number $25. 4. Bank account numbers $30. etc.

So a loss of 4.9 million social security numbers, DOB and addresses would generate a fine of $171,500,000

Problem solved!

Now, the company will think 100x times BEFORE collecting consumer data if they can actually PROTECT IT. Build robust security FIRST!

I would add passwords to the list of fines with growing penalties based on how the passwords were stored.

Unique salt per user hash < shared salt with user hash < no salt but using strong hash < no salt and a weak algorithm like MD5 or SHA-1 < plaintext

great suggestion! loosing data that is well protected is one things, but loosing plain text personal info is totally different matter and should be punished more.

Wonder if I'll get another $25-50 from a class action lawsuit over this.

Nah, you'll be offered 25-50$ but then they'll swap it out for 25-50$ in credit monitoring and/or applebee's coupons at the last minute.

I can't wait for the FTC to issue a statement, it will be something like:

"Applebee's Coupons are clearly the best value for consumers, from savory appetizers to desserts with a kick, you're going to want to take that delicious settlement!"

I think I take the credit monitoring in this instance?

I'll throw it on the pile of all the other credit monitoring I've gotten from other breaches.

Sadly credit monitoring just increases the chance that your data will be breached once again - what about the option where, because you guys done goofed with my data, you're not allowed to track me anymore or store any data on me - and you're not allowed to charge me to do this nor randomly charge me if a bank tries to talk to you.

Credit Bureaus are just such steaming piles of crap.

DoorDash probably forgot to tip the “third-party service provider”

No, they kept took their tip to pay the base salary instead.

Stealing tips and now a breach with a terrible response. These people should be in jail and their company should be shut down.

I received the email. I'd asked them to delete my account 6 months ago, and they confirmed at the time they'd "deactivated" it. I guess that wasn't enough to protect me. As an American developer, GDPR seemed like a pain at first, but more and more I wish we had something similar.

Disclosure on this was pretty bad. I got an email saying your password has been reset, if you didnt do this contact support.

Removed payment methods from my account and reset the password, but now I assume this was done to all users?

I don't know a great deal about DoorDash, but my understanding is that they're only in the US. If so, they're not bound by the EU's GDPR data breach disclosure timescales, which are "without undue delay and, where feasible, not later than 72 hours" if they're likely to result in a high risk to the rights and freedoms of data subjects, which this seems to fit. Compare that with the apparent five month delay here, with all its attendant risks to the customers whose data was made available. The EU has its flaws, but when I read stories like this I'm really happy I'm covered by GDPR.

After using food delivery and takeout services, I felt the plastic waste it generates is incredible. All the folks that care even a little bit about the environment, please just get out of your homes and just dine-in. Silicon Valley startups just don’t care about the environment, you can change that one person at a time.

This was great to get an email about since doordash does not let users delete accounts. You can only 'deactivate' in a way that is easy to 'reactivate'. If I would have actually been allowed to delete my account many months ago when I asked maybe I wouldn't have had my information leaked.

My doordash got hacked a year ago when they did not have a special call center set up. I had no choice but to file a support ticket into the void (which was even more difficult since I did not have access to my account so I had to use a public contact form). I always suspected a breach since the account had a unique password and was only used on my personal phone which I was still in possession of. I wonder if they are just now getting around to disclosing that breach?

I did not hear back from support for 3 months (no exaggeration). I asked that they delete my account back then so you can imagine my delight to receive more security-related correspondence from this company today.

A 490 million dollar fine sounds reasonable. To be paid by giving each customer back $100.

When the F are we going to hold people accountable for piss poor security posture.

Is their password change function working? I can't seem to change my pw. It gets to SMS 2FA then appears to fail when I try to verify the token I'm sent and boots me back to the PW change page.

I don't know what's more frustrating to read -- news of these seemingly constant data breaches or news that the latest Windows 10 Update just broke something else.

Is there a list of all disclosed security breaches somewhere?


There is even an RSS feed. It doesn't cover every breach but certainly significant verified ones - details in the site FAQ. There is even such a thing as faked breaches!

The best site I've used is haveibeenpwned.com, seems to be the go-to for most security breaches and has a tool that can notify you when some of your information has been compromised tied to an email address.

I don't like that because if you put in an email address it doesn't reveal whether you've already addressed the issue or not. It just shows if it was included in a breach, great for newbs to go "ooOOOooooOOoo" but useless for anything else.

I also alias email addresses for every service that allows a + sign in the email field, so now I have no way to notice quickly if the email was included in a leak. But I do have a way to know which service got breached or sold info if I start getting additional emails to any particular alias.


A government created physical token for every person could be the direction we are headed

Once again, the US is sorely lacking regulation w.r.t data breaches. In Europe the breach might have still happened but at least customers would have been told months earlier and there would be some predictable penalties for the companies. I also think that DoorDash would have been more transparent about the steps that lead up to this.

We need a US GDPR. Even if there’s nothing like the right to be forgotten, we need data breach regs.

Anyone know how this affects users that login via Facebook Auth with Doordash?

There goes my private data; thanks doordash for the leak

when will it become not ok to suck at this?

>The breach happened on May 4

I don't believe for one second that they didn't know about it for five months! Can someone in the EU please report this so that it's investigated for a GDPR violation?

Edit: from the official post on blog.doordash.com:

>Earlier this month, we became aware of unusual activity involving a third-party service provider.

Of course. This is quite a bit more than the 72 hour window GDPR allows.

I think DoorDash is in just US and Canada at this time.

DoorDash doesn't operate in the EU, so I don't think they need to care about GDPR.

I attempted to purge my data from Doordash's servers. They refused, citing GDPR for some reason and saying the best they could do was to "deactivate" my account (while retaining my personal information).

There goes my private data. Thank you DoorDash for the leak.

Wow thats crazy

Okay, this has been up for two whole hours, and no one has yet said "OMG, I think I'm going to lose my lunch over this!"

Get with it people! The jokes are right there.

This kind of bugs and problems will open the eyes of companies to get on to blockchain. As a Blockchian enthusiast, i found it is best to store data on it. And in market many companies doing the same too. to fire more questions and query drop a mail on sagar@trsts.co

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact