Friday, 27 September 2019

Doordash's breach is different

One important detail from this week's admission from Doordash that they'd suffered (and remained silent about) a breach of 4.9 million records: Doordash, by its nature, includes the home addresses of people who otherwise avoid disclosing where they live.

People at risk from doxing, swatting, stalking, and other forms of privacy invasion take great pains to keep their home addresses secret, such as renting private mailboxes and having all correspondence and deliveries sent to those addresses. Some people even register anonymous Nevada or Delaware LLCs and buy their houses through those companies, just to keep their names out of title registries.

However, there are some services that need to associate your name with your home address. It's hard to send your kid to a public school without allowing the school district to store your home address associated with your name (and school districts regularly suffer breaches). Credit bureaux are likewise impossible to keep your home address away from (o hai, Equifax).

Then there's Doordash. No one gets dinner delivered to a Mailboxes, Etc and picks it up from there. Doordash's breach blows up the physsec and opsec for a nation of at-risk people. Doordash isn't just a run-of-the-mill breach: it's a catastrophe for some of the most vulnerable people in America.

Here's a pro-tip: you can set up a Google Alert for your name and home address, which will notify you any time a data-broker puts that information up for sale on the public markets (of course, if Google Alerts is ever breached, you're screwed).

Users who joined the platform before April 5, 2018 had their name, email and delivery addresses, order history, phone numbers and hashed and salted passwords stolen.

DoorDash confirms data breach affected 4.9 million customers, workers and merchants [Zach Whittaker/Doordash]

(Image: U.S. Army Materiel Command, CC BY, modified)