Doordash's breach is different

Originally published at: https://boingboing.net/2019/09/27/swatters-paradise.html

6 Likes

What’s likely to happen here if someone’s home address is exposed via this breach?

Say a woman hiding herself and her children is now located by an abusive ex husband for example. This Ex tracks them down to do harm using data from this breach.

Best case scenario is a celebrity gets harassed by a fan and that celebrity has the resources to sue Doordash into oblivion. Worst case scenario is someone gets murdered and these startups continue to ignore data data security.

7 Likes

I admit it - I’m the one who did it.

But it was only so I could steal Lizzo’s fries.

1 Like

Not breached, but something to watch out for:

3 Likes

If you buy your house using an anonymous LLC do you use door dash?

3 Likes

Quite possibly yes? Titling your real estate under an anonymous LLC protects you because real estate titles and taxes are publicly available data that anyone can view via a government website. Putting your name, address, and cc info into a food delivery app to get a pizza is nowhere near the same thing, since the apps generally promise that your info is encrypted and stored safely.

6 Likes

Is anybody else finding it impossible to change their Doordash password? I am able to enter a new one on the appropriate page, and I get the two-factor authentication code (yeah, security!)… but then… nothing.

Just another this that makes this one different?

1 Like

Quite possibly, yes. I’m in the middle of looking at doing an anonymous property lease because we’re opening an organizing center for some pretty controversial political issues and would rather not have someone be able to pull up the Secretary of State and County Auditor websites and end up with our home addresses to settle political scores. At the same time I have no reason to be particularly afraid of the burger delivery company. Sometimes anonymous purchases are in place to deal with the issues that come from easy universal access to information, rather than trying to provide a universal shield.

4 Likes

Yes. I had to go to the app on my phone and tell it I lost my password. Then I could change it. Otherwise it would not change. My wife was able to change it that way as well.

2 Likes

Thank you. That did the trick!

2 Likes

Doordash’s breach blows up the physsec and opsec for a nation of at-risk people.

As a person in tech, it is important to remember that if this kind of security is important to you, you just can’t give your info to these kinds of companies. Even if there are no reported breaches, the majority of the time the majority of the people at the company can and do access the db just to have a look, search for interesting stuff/funny names/famous people/etc.

Temp workers, contractors, employees all have access with no audits and no protections the majority of the time. The db gets copied to dev machines, shared, leaked quietly to private groups, literally sold to competitors, very often copied and kept when employees leave, etc.

Seriously, the security around these is the same or worse than password security: everyone knows what they are supposed to do but they just reuse passwords and write them on a post-it on their desk. There are, of course, exceptions.

I’ve gone to job interviews with “real world problem solving” questions where they give you the connection details to a dev db in their staging environment to use for the problem. Which is a slightly out of date clone of their production database. Friends of mine have been instructed to download docker images for similar interviews that had real data in them, and no one even asked them to delete it after.

Every one of these places had some kind of privacy policy document and best practices stuff to put on their website and to describe to the press. Someday soon they plan to get around to actually doing it, but this quarters metrics are too important for that kind of “nice to have for the security nerds” stuff.

8 Likes

Of course not, that’s the butler’s job. :face_with_monocle:

3 Likes

Hell, if you have a birthdate, name, and last 4 of a person’s social in the state of Florida, you can enter them into the Fish & Game license website and get the person’s street address and other minor ID items served up to you if they’ve ever held any license. But hey, at least there’s no password to hack, amirite?!

2 Likes

This topic was automatically closed after 5 days. New replies are no longer allowed.