The demand for food delivery services like DoorDash has surged. Apps offering meals delivered straight to your door are convenient and give you a great selection.
But considering how much sensitive data these apps collect from users, how safe are they? A DoorDash data breach highlights how much personal information is stored by these services, so what scams do you need to look out for?
What You Need to Know About the DoorDash Data Leak
In a 2019 blog post, DoorDash warned users of a data leak that happened on May 4, 2019. The breach affected approximately 4.9 million consumers, Dashers, and merchants who joined the platform on or before April 5, 2018.
Among the sensitive data accessed by the “unauthorized third party” were people’s names, email addresses, delivery addresses, order history, phone numbers, plus hashed and salted passwords.
The leak also compromised some customers’ credit card details and digits associated with the account numbers of some merchants. Approximately 100,000 Dashers’ driver’s license numbers were further exposed by the breach.
How Can This Leak Affect You?
Woke up this morning to someone else’s door dash order from last night outside my door…🤨
— 💀 (@kasserole96) January 19, 2021
While DoorDash claims that credit card and bank account details that were stolen were not enough to make fraudulent charges, other Personally Identifiable Information (PII) was leaked. There’s a huge chance that hackers have been peddling your account information for years.
The type of information exposed during the leak may put you at risk of becoming a victim of identity theft. Your information could be used to commit fraud and other crimes. It may also expose you to an attack called credential stuffing, during which your account information from one leak is used to access your other accounts.
On the dark web, DoorDash accounts with attached credit card details are reportedly sold for $4.49 each.
DoorDash Scams You Should Know About
While amateur hackers use these accounts just to order free food, some use the information in these accounts for targeted phishing campaigns, vishing, and smishing. These phishing campaigns are used to infiltrate a system or infect devices and networks with ransomware.
Here are five scams you need to watch out for.
1. DoorDash Smishing Scams
DoorDash says that the leak exposed only the last four digits of consumer payment cards, and the last four digits of account numbers for merchant and Dasher accounts. But since it exposed many other sensitive data like phone numbers and addresses, users should watch out for scams meant to collect their full financial account details.
Some users in forums have reported receiving smishing texts from hackers pretending to be from DoorDash. The message details of a food order you supposedly placed, with a link that claims should help you verify your account information.
You may also be told to confirm this delivery so if you didn’t order anything through the app, you’d be compelled to click the link to cancel it. The link will lead to a pharming site that will collect your credit card information.
2. DoorDash Email Survey Scam
I was part of a Premera data leak it seems since recent notice. Had another last month from DoorDash. I these two are approximately #9 & #10 over the years. It’s becoming “normal.”
— Heidster (@Heidi19461090) October 12, 2019
Nothing is quite as luring for customers of delivery services as the promise of a huge discount on future orders. Beware of phishing emails with this kind of MO.
The email survey scam will ask you to answer a survey and in exchange for your time, they’ll promise a discount to be applied to your next DoorDash order. Offers for another delivery service like UberEats might be included too. You’ll be asked to log into your account.
Except this isn’t really from the food delivery company. The site they lead you to might look legitimate, but this one’s controlled by a hacker. Any information you enter will be harvested.
3. DoorDash Delivery Scam
Here’s a more sinister and dangerous scam that involves a fake DoorDash delivery at your door.
A woman in Ohio reported a suspicious group who came to her house for a DoorDash delivery. One individual claimed to have her order. The homeowner didn’t buy anything from DoorDash though.
This should’ve been a simple case of a delivery worker at the wrong address, except the female “Dasher” didn’t come alone.
Through the homeowner’s security camera, she saw two other men coming up to her yard. They were carrying something in their hands. The owner then heard the men say “hide, hide” and “I’m supposed to cover you”. This naturally prompted her to call 911.
Remember: the 2019 leak exposed PII including delivery addresses. So criminals know that you use DoorDash, which name is associated with the account, and where that person lives.
4. DoorDash Scams Targeting Delivery Workers
Even people trying to make an honest buck through the gig economy are being targeted by scammers. Numerous Dashers have reported getting scammed out of their DoorDash earnings.
Scammers use a phone cloaking tool to make their number appear like that from DoorDash. They then inform the Dasher of another device trying to access their accounts. The caller will then ask for the PIN and login information to supposedly “verify” his identity.
In a few days, the Dasher will realize that he or she didn’t get paid for all the deliveries. The hacker has managed to change the banking details in the DoorDash account so the Dasher’s earnings were deposited into the fraudster’s account instead.
5. DoorDash Scams Targeting Merchants: Cyber Shoplifting
Chargebacks were put in place to protect consumers. This has been most useful for unauthorized purchases after a credit card had been stolen. A consumer can simply call the bank to reverse the charges from the disputed credit card purchase.
But there has been an increasing number of fraudsters who are exploiting chargebacks meant to protect consumers. In fact, according to reports, up to 86% of chargebacks are fraudulent.
Hackers make purchases with the intention of asking for a chargeback after so they can have the products for free. This scam is also called cyber shoplifting or the chargeback scam. This problem has been plaguing merchants including those in the food and beverage industry.
While there are individuals who may be doing this on their own to get a free meal (maybe after realizing how easy it is to reverse a charge on their cards), others are part of an organized retail scam group.
Aside from all the problems that come with having your details exposed after a data leak, you’ll also need to watch out for scammers that use the name of a service like DoorDash.
If you think your details have been compromised, take steps to protect yourself. Monitor your bank statements for suspicious charges, use multi-factor authentication in your accounts, enable SMS alerts for transactions, and if you think it’s necessary, freeze your credit.