Skip to main content

DoorDash hack sees customer contact details exposed; LastPass attacker didn’t access user data

A DoorDash hack has been confirmed by the company, with full customer contact details exposed by the security breach: name, address, and phone numbers.

Separately, LastPass has also confirmed an attack on its own systems, but says it doesn’t believe that any user data was obtained …

DoorDash hack

DoorDash says that a “sophisticated” phishing attack resulted in user data being obtained.

We recently became aware that a third-party vendor was the target of a sophisticated phishing campaign and that certain personal information maintained by DoorDash was affected […]

For consumers, the information accessed by the unauthorized party primarily included name, email address, delivery address and phone number.

For a smaller set of consumers, basic order information and partial payment card information (i.e., the card type and last four digits of the card number) was also accessed.

For Dashers, the information accessed by the unauthorized party primarily included name and phone number or email address. The information affected for each impacted individual may vary.

The company says that the attacker did not get access to full card details, bank account details, social security numbers, social insurance numbers, or passwords.

The DoorDash hack involved using stolen vendor credentials to gain access to internal DoorDash tools, which then enabled the attacker to access customer data.

The company says that it has taken four steps in response:

  • Notifying law enforcement
  • Notifying affected users, and data protection regulators
  • Enhanced security at DoorDash and the third-party vendor
  • Brought in a cybersecurity firm to assist with the investigation

Further information can be found in the FAQ (scroll down).

LastPass attack

Bleeping Computer discovered an unrelated attack on password management company LastPass, which has since been confirmed by the company.

In this case, it appears the attackers were after the company’s own source code and other proprietary information, and not customer data.

Two weeks ago, we detected some unusual activity within portions of the LastPass development environment. After initiating an immediate investigation, we have seen no evidence that this incident involved any access to customer data or encrypted password vaults.  

We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. 

The company stressed that there is no way for a hacker to obtain the Master Passwords of users, as LastPass never has access to these.

This incident did not compromise your Master Password. We never store or have knowledge of  your Master Password. We utilize an industry standard Zero Knowledge architecture that ensures LastPass can never know or gain access to our customers’ Master Password. You can read about the technical implementation of Zero Knowledge here.

Zero Knowledge protocols mean that you can prove to LastPass that you know your Master Password, without LastPass itself knowing what it is. An easy way to understand the principle behind this is the color-blind friend analogy:

A color-blind friend has two balls, one red, one green, which they cannot distinguish, but you can. To prove you can do it, they hold one ball in each hand, place them behind their back, and either swap balls between hands or not, randomly. They show the balls again and you say whether or not they swapped them. Repeat as many times as needed to effectively eliminate guessing.

At the end of the process, your friend still doesn’t know the colors of the balls, but has satisfied themselves that you do.

Take standard cybersecurity precautions

As always, you should ensure you take standard cybersecurity precautions, including: strong, unique passwords for every website and app; disguised answers to security questions; use of two-factor authentication; never clicking emailed links to sensitive services like banks, financial services, and anything requiring your Apple ID. The use of a VPN service is recommended when using public Wi-Fi hotspots.

Photo: Lewis Kang’ethe Ngugi/Unsplash

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel



Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear