Hey Doordash: Why Are You Hiding Your 'Security Notice' From Google Just Days After You Revealed A Massive Security Breach?

from the questions,-questions dept

As you might have heard, late last week, delivery company DoorDash admitted via a Medium post that there had been a large data breach exposing info on 4.9 million users of the service. The breach had actually happened months earlier, but was only just discovered earlier this month.

We take the security of our community very seriously. Earlier this month, we became aware of unusual activity involving a third-party service provider. We immediately launched an investigation and outside security experts were engaged to assess what occurred. We were subsequently able to determine that an unauthorized third party accessed some DoorDash user data on May 4, 2019. We took immediate steps to block further access by the unauthorized third party and to enhance security across our platform. We are reaching out directly to affected users.

The information accessed included names, emails, delivery addresses, order histories and phone numbers. Salted and hashed passwords were accessible too, but assuming Doordash didn't mess up the salting/hashing, those should still be safe. Some customers also had the last four digits of their credit cards revealed.

All in all a somewhat typical breach that happens these days. However, as TechCrunch cybersecurity reporter Zack Whittaker noticed, somewhere right around the time the breach went up, DoorDash told Google to stop indexing its "SecurityNotices" page via robots.text.

He also notes that DoorDash doesn't seem to be going out of its way to alert people to the breach -- pointing out that there's nothing on DoorDash's front page, or on its various social media accounts. Just the blog post on Medium (and, if I'm not mistaken, Medium posts can end up behind a paywall in lots of cases). That's pretty lame. My guess is that since DoorDash says it's "contacting" customers impacted by the breach, it felt it didn't need to do wider outreach. But... that seems like a huge cop out. Notifying people of such a breach is kind of important.

And, also, yanking your "securitynotices" directory from Google (even if it currently appears blank) seems super suspicious. Why do that except to hide information from people searching for info about your security issues? A breach of this nature is bad, but it happens to so many companies these days that I don't think this kind of breach leads to much trust lost from customers. However, proactively trying to keep things quiet about this... well... that's the kind of thing that raises eyebrows and destroys trust.

Of course, in a bit of perfect timing to distract from all of this, DoorDash happily announced today that it's now delivering for McDonald's, so get your Big Macs quick and ignore any lingering concerns about security...

Filed Under: breach notification, robots.txt, security, security breaches
Companies: doordash


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    That Anonymous Coward (profile), 30 Sep 2019 @ 7:06pm

    What is "Because there is no actual penalty for hiding it"?

    Oooh the daily double

    reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 30 Sep 2019 @ 10:11pm

    'Nothing to see here, move along...'

    Even if everything is above-board and it was an honest mistake that they handled responsibly taking active measures to hide information like this is just all sorts of stupid, as true or not it makes it look like they very much have something to hide.

    If they're trying to maintain a good image of caring about security and handling it well this is about the worst thing they could have done, and whoever made that choice really needs to be given the boot before they dig even deeper and torpedo the company's image even more.

    reply to this | link to this | view in chronology ]

  • icon
    PaulT (profile), 1 Oct 2019 @ 12:59am

    Hey, at least we have an example of a company actually using the tools provided to them, rather than screaming at the courts about how Google should be forced to admin their sites for them. I mean, robots.txt has only been around for a few decades, it's about time people started using it. Even if used for evil, there's at least a verifiable trail.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 Oct 2019 @ 1:11am

    This could only be improved if DoorDash had chosen to DMCA Google for daring to list their security notices page, then declare that "copyright law is the only way we have to effectively manage this issue".

    reply to this | link to this | view in chronology ]

  • identicon
    Insurance, 1 Oct 2019 @ 4:53am

    Insiurance

    What I think is funny, is that door dashes insurance documents are not readily available through the driver app. This should be available at all times to all drivers. Furthermore, they have never asked me wants to upload my personal insurance documents. Nor will they ever. What is up with that?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 Oct 2019 @ 5:54am

    so get your Big Macs quick and ignore any lingering concerns about security...

    I appreciate you ending sentences most of the time. They are meant to make us think, or sometimes imply guilt. This one, however; is comical. I would put the national average of 1 in 100 cares about data security. For the crowd that is too lazy to go to McDonald's I would move that number to 1 in 1,000,000. If people were so concerned with security all these smart speakers would not be a runaway success.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 Oct 2019 @ 6:30am

    looks like they may have updated it already...

    current listing: https://www.doordash.com/robots.txt User-agent: * Disallow: /store/so-much-maple-juneau-19113/ Disallow: /orders/ Disallow: /orders/track/* Disallow: /order_history/ Disallow: /sv/ Allow: /consumer/login/ Allow: /consumer/invite/ Disallow: /consumer/ Allow: /dasher/signup/$ Disallow: /dasher/signup/* Disallow: /dasher/application* Disallow: /apply/* Disallow: /qr-code/* Disallow: /merchant/applyV2/* Disallow: /securitynotice Allow: *.js Allow: *.css

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 Oct 2019 @ 7:05am

    And that should be fine.

    Techdirt usually goes out of its way to point out that robots.txt has existed for a really long time and if news sites don't want to be indexed by Google (and others) without receiving compensation, then they can simply update their robots.txt file(s).

    It's a bit hypocritical of you all to start complaining when a company actually does what you suggest to minimize the spread of an article they probably don't want indexed.

    reply to this | link to this | view in chronology ]

    • icon
      PaulT (profile), 1 Oct 2019 @ 7:29am

      Re: And that should be fine.

      "It's a bit hypocritical of you all to start complaining when a company actually does what you suggest'

      It's really not, unless you think that the same tool being used in both instances makes them the same. In one instance people are refusing to use the tool despite it achieving what they claim to want. In the other, they're using the tool in order to try and hide wrongdoing.

      There's no overlap, apart from the tool being the same. If I say someone should use a screwdriver to undo some screws on their property themselves, then later see someone else trying to prize open a car door with the same type of screwdriver, I'm not being hypocritical over screwdriver usage.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 1 Oct 2019 @ 11:07pm

        Re: Re: And that should be fine.

        Yeah, it's pretty shitfaced to compare news sites refusing to use robots.txt to avoid getting indexed by Google to a company using robots.txt to hide security risk information. Almost like this chucklenut has a vested interest in the usage...

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 1 Oct 2019 @ 8:02am

      Re: And that should be fine.

      Your confusion is noted but is obviously disingenuous.

      reply to this | link to this | view in chronology ]

    • icon
      bhull242 (profile), 1 Oct 2019 @ 11:24am

      Re: And that should be fine.

      Techdirt says that it’s fine generally for copyright and trademark issues and compensation, sure. That’s a legal issue that’s pretty broad.

      This isn’t a legal issue; no one here is saying that this is or ought to be illegal. We’re just saying that, in this particular instance, it’s really shady and probably unethical or immoral. That’s completely different. Hiding your security notices from Google is perfectly legal AFAIK, but it makes you suspicious as hell.

      There are perfectly good reasons to hide some things from Google, like private information or personal documents in the cloud. It’s also fine, though not so sensible, to hide things in a vain and likely counterproductive attempt to protect your copyright or to spitefully keep Google from “profiting off your work”. This is not one of those cases.

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.