Hey Doordash: Why Are You Hiding Your 'Security Notice' From Google Just Days After You Revealed A Massive Security Breach? (original) (raw)
from the questions,-questions dept
As you might have heard, late last week, delivery company DoorDash admitted via a Medium post that there had been a large data breach exposing info on 4.9 million users of the service. The breach had actually happened months earlier, but was only just discovered earlier this month.
We take the security of our community very seriously. Earlier this month, we became aware of unusual activity involving a third-party service provider. We immediately launched an investigation and outside security experts were engaged to assess what occurred. We were subsequently able to determine that an unauthorized third party accessed some DoorDash user data on May 4, 2019. We took immediate steps to block further access by the unauthorized third party and to enhance security across our platform. We are reaching out directly to affected users.
The information accessed included names, emails, delivery addresses, order histories and phone numbers. Salted and hashed passwords were accessible too, but assuming Doordash didn’t mess up the salting/hashing, those should still be safe. Some customers also had the last four digits of their credit cards revealed.
All in all a somewhat typical breach that happens these days. However, as TechCrunch cybersecurity reporter Zack Whittaker noticed, somewhere right around the time the breach went up, DoorDash told Google to stop indexing its “SecurityNotices” page via robots.text.
You know what's really weird? @DoorDash has no mention of its massive data breach on its homepage. There's nothing on its Twitter or Facebook page, either.
What's also weird is DoorDash's robots file hides "/securitynotice" from Google, so people can't even search for it. pic.twitter.com/m81Geafxnz
— Zack Whittaker (@zackwhittaker) September 27, 2019
He also notes that DoorDash doesn’t seem to be going out of its way to alert people to the breach — pointing out that there’s nothing on DoorDash’s front page, or on its various social media accounts. Just the blog post on Medium (and, if I’m not mistaken, Medium posts can end up behind a paywall in lots of cases). That’s pretty lame. My guess is that since DoorDash says it’s “contacting” customers impacted by the breach, it felt it didn’t need to do wider outreach. But… that seems like a huge cop out. Notifying people of such a breach is kind of important.
And, also, yanking your “securitynotices” directory from Google (even if it currently appears blank) seems super suspicious. Why do that except to hide information from people searching for info about your security issues? A breach of this nature is bad, but it happens to so many companies these days that I don’t think this kind of breach leads to much trust lost from customers. However, proactively trying to keep things quiet about this… well… that’s the kind of thing that raises eyebrows and destroys trust.
Of course, in a bit of perfect timing to distract from all of this, DoorDash happily announced today that it’s now delivering for McDonald’s, so get your Big Macs quick and ignore any lingering concerns about security…
Filed Under: breach notification, robots.txt, security, security breaches
Companies: doordash