Restaurant-delivery service DoorDash disclosed today (Sept. 26) that 4.9 million customers, merchants and delivery personnel had their sensitive information compromised in a data breach.
The information includes "names, email addresses, delivery addresses, order history, phone numbers, as well as hashed, salted passwords," DoorDash said in a blog posting.
The last four digits of credit card numbers belonging to some DoorDash customers was included, as were the last four digits of some bank-account numbers of merchants and delivery people. DoorDash insists that none of the financial information is enough to facilitate fraud.
About 100,000 drivers' license numbers of delivery persons was also compromised.
However, only customers, merchants and delivery persons who registered with DoorDash before April 5, 2018, are affected. Anyone who signed up with DoorDash later is in the clear.
If you're in the former group, you should change your DoorDash password at https://www.doordash.com/accounts/password/reset/.
It's nice to hear that the passwords were hashed and salted -- i.e., sprinkled with added data and then run through a supposedly irreversible mathematical algorithm. That will make them much harder to "crack," but some password-hashing algorithms are stronger than others, and DoorDash didn't specify what it used.
Needless to say, you shouldn't be reusing passwords from one account to another, especially when a credit-card number is tied to an account.
Make up weird, long passwords with lots of different types of characters and write them all down in a book you keep in a locked drawer, or use a password manager to generate and keep the passwords for you. Just don't reuse them.