Hey Doordash: Why Are You Hiding Your 'Security Notice' From Google Just Days After You Revealed A Massive Security Breach?

from the questions,-questions dept

As you might have heard, late last week, delivery company DoorDash admitted via a Medium post that there had been a large data breach exposing info on 4.9 million users of the service. The breach had actually happened months earlier, but was only just discovered earlier this month.

We take the security of our community very seriously. Earlier this month, we became aware of unusual activity involving a third-party service provider. We immediately launched an investigation and outside security experts were engaged to assess what occurred. We were subsequently able to determine that an unauthorized third party accessed some DoorDash user data on May 4, 2019. We took immediate steps to block further access by the unauthorized third party and to enhance security across our platform. We are reaching out directly to affected users.

The information accessed included names, emails, delivery addresses, order histories and phone numbers. Salted and hashed passwords were accessible too, but assuming Doordash didn't mess up the salting/hashing, those should still be safe. Some customers also had the last four digits of their credit cards revealed.

All in all a somewhat typical breach that happens these days. However, as TechCrunch cybersecurity reporter Zack Whittaker noticed, somewhere right around the time the breach went up, DoorDash told Google to stop indexing its "SecurityNotices" page via robots.text.

He also notes that DoorDash doesn't seem to be going out of its way to alert people to the breach -- pointing out that there's nothing on DoorDash's front page, or on its various social media accounts. Just the blog post on Medium (and, if I'm not mistaken, Medium posts can end up behind a paywall in lots of cases). That's pretty lame. My guess is that since DoorDash says it's "contacting" customers impacted by the breach, it felt it didn't need to do wider outreach. But... that seems like a huge cop out. Notifying people of such a breach is kind of important.

And, also, yanking your "securitynotices" directory from Google (even if it currently appears blank) seems super suspicious. Why do that except to hide information from people searching for info about your security issues? A breach of this nature is bad, but it happens to so many companies these days that I don't think this kind of breach leads to much trust lost from customers. However, proactively trying to keep things quiet about this... well... that's the kind of thing that raises eyebrows and destroys trust.

Of course, in a bit of perfect timing to distract from all of this, DoorDash happily announced today that it's now delivering for McDonald's, so get your Big Macs quick and ignore any lingering concerns about security...

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: breach notification, robots.txt, security, security breaches
Companies: doordash


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    That Anonymous Coward (profile), 30 Sep 2019 @ 7:06pm

    What is "Because there is no actual penalty for hiding it"?

    Oooh the daily double

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 30 Sep 2019 @ 8:05pm

    Re:

    I will take corporate cop-outs for 1000 please.

    link to this | view in thread ]

  3. icon
    That One Guy (profile), 30 Sep 2019 @ 10:11pm

    'Nothing to see here, move along...'

    Even if everything is above-board and it was an honest mistake that they handled responsibly taking active measures to hide information like this is just all sorts of stupid, as true or not it makes it look like they very much have something to hide.

    If they're trying to maintain a good image of caring about security and handling it well this is about the worst thing they could have done, and whoever made that choice really needs to be given the boot before they dig even deeper and torpedo the company's image even more.

    link to this | view in thread ]

  4. icon
    PaulT (profile), 1 Oct 2019 @ 12:59am

    Hey, at least we have an example of a company actually using the tools provided to them, rather than screaming at the courts about how Google should be forced to admin their sites for them. I mean, robots.txt has only been around for a few decades, it's about time people started using it. Even if used for evil, there's at least a verifiable trail.

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 1 Oct 2019 @ 1:11am

    This could only be improved if DoorDash had chosen to DMCA Google for daring to list their security notices page, then declare that "copyright law is the only way we have to effectively manage this issue".

    link to this | view in thread ]

  6. identicon
    Insurance, 1 Oct 2019 @ 4:53am

    Insiurance

    What I think is funny, is that door dashes insurance documents are not readily available through the driver app. This should be available at all times to all drivers. Furthermore, they have never asked me wants to upload my personal insurance documents. Nor will they ever. What is up with that?

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 1 Oct 2019 @ 5:54am

    so get your Big Macs quick and ignore any lingering concerns about security...

    I appreciate you ending sentences most of the time. They are meant to make us think, or sometimes imply guilt. This one, however; is comical. I would put the national average of 1 in 100 cares about data security. For the crowd that is too lazy to go to McDonald's I would move that number to 1 in 1,000,000. If people were so concerned with security all these smart speakers would not be a runaway success.

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 1 Oct 2019 @ 6:30am

    looks like they may have updated it already...

    current listing: https://www.doordash.com/robots.txt User-agent: * Disallow: /store/so-much-maple-juneau-19113/ Disallow: /orders/ Disallow: /orders/track/* Disallow: /order_history/ Disallow: /sv/ Allow: /consumer/login/ Allow: /consumer/invite/ Disallow: /consumer/ Allow: /dasher/signup/$ Disallow: /dasher/signup/* Disallow: /dasher/application* Disallow: /apply/* Disallow: /qr-code/* Disallow: /merchant/applyV2/* Disallow: /securitynotice Allow: *.js Allow: *.css

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 1 Oct 2019 @ 7:05am

    And that should be fine.

    Techdirt usually goes out of its way to point out that robots.txt has existed for a really long time and if news sites don't want to be indexed by Google (and others) without receiving compensation, then they can simply update their robots.txt file(s).

    It's a bit hypocritical of you all to start complaining when a company actually does what you suggest to minimize the spread of an article they probably don't want indexed.

    link to this | view in thread ]

  10. icon
    PaulT (profile), 1 Oct 2019 @ 7:29am

    Re: And that should be fine.

    "It's a bit hypocritical of you all to start complaining when a company actually does what you suggest'

    It's really not, unless you think that the same tool being used in both instances makes them the same. In one instance people are refusing to use the tool despite it achieving what they claim to want. In the other, they're using the tool in order to try and hide wrongdoing.

    There's no overlap, apart from the tool being the same. If I say someone should use a screwdriver to undo some screws on their property themselves, then later see someone else trying to prize open a car door with the same type of screwdriver, I'm not being hypocritical over screwdriver usage.

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 1 Oct 2019 @ 8:02am

    Re: And that should be fine.

    Your confusion is noted but is obviously disingenuous.

    link to this | view in thread ]

  12. icon
    bhull242 (profile), 1 Oct 2019 @ 11:24am

    Re: And that should be fine.

    Techdirt says that it’s fine generally for copyright and trademark issues and compensation, sure. That’s a legal issue that’s pretty broad.

    This isn’t a legal issue; no one here is saying that this is or ought to be illegal. We’re just saying that, in this particular instance, it’s really shady and probably unethical or immoral. That’s completely different. Hiding your security notices from Google is perfectly legal AFAIK, but it makes you suspicious as hell.

    There are perfectly good reasons to hide some things from Google, like private information or personal documents in the cloud. It’s also fine, though not so sensible, to hide things in a vain and likely counterproductive attempt to protect your copyright or to spitefully keep Google from “profiting off your work”. This is not one of those cases.

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 1 Oct 2019 @ 11:07pm

    Re: Re: And that should be fine.

    Yeah, it's pretty shitfaced to compare news sites refusing to use robots.txt to avoid getting indexed by Google to a company using robots.txt to hide security risk information. Almost like this chucklenut has a vested interest in the usage...

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.