Another week, another data breach. This time around, it’s the meal-delivery service DoorDash, which just announced that hackers had stolen data from 4.9 million customers, delivery workers and merchants back in May.
“This is going to be worth a lot of money on the dark web,” says Darren Guccione, CEO and co-founder at Keeper Security, creator of the Keeper password manager and digital vault. “At 4.9 million records, the way that this kind of breach monetizes and remonetizes, it’ll generate probably upwards of $50 million potential dark web monetization.”
That’s not simply because of the sheer number of accounts affected. Guccione says the type of information that was stolen is also very troubling.
If you signed up before April 5, 2018, DoorDash says you may have had your name, email, delivery address, order history and phone numbers stolen. The cyberthieves also grabbed the last four digits of payment cards, though full numbers and card verification values (CVV) were not taken.
“There was a plethora of additional information stolen that’s going to create problems for some people,” says Guccione. “Full name, physical and billing address, email address, phone number – all of that poses a risk of an account takeover.”
Another red flag: DoorDash first found out about this breach “earlier this month,” according to the company’s statement.
“When you’re unable to detect the breach for four months, that’s a problem,” says Guccione. “A system should know that someone’s trying to breach a database or a network within seconds, right?”
Historically, companies have a terrible track record of not alerting the public immediately after discovering data breaches. Marriott learned of the massive data breach that affected over 500 accounts nearly three months before going public. Uber waited over a year before telling the public about a breach that affected 57 million customers.
“It is not uncommon for breached login credentials to find their way on the dark web long before public disclosure is made,” says Guccione. That’s dangerous for consumers, since cyber security experts recommend that the very first step you should take after learning of a breach is to reset your password.
Indeed, the DoorDash statement encourages users to reset their passwords. What it doesn’t say is that it might be closing the barn door five months after the horse has bolted.
There is a way to get an early heads up about data breaches and be informed at the very first sign your personal data has been compromised. Dark web monitoring services like Keeper’s BreachWatch can scan the dark web for stolen login credentials and alert you in real time when your personal data is detected.
“It’s not based on public disclosure. It’s based on what actually happens on the dark web,” says Guccione.
Don’t expect a dark web monitoring service to put the genie back in the bottle. Once your information is stolen, it’s impossible to prevent criminals from using it or delete it from the dark web, says Guccione, “but a monitoring service will alert you in real time to rotate that account’s password.”
And that can make all the difference between having your identity stolen and staying one step ahead of the cyber criminals.
- How To Find Out In Five Seconds If Your Online Accounts Have Been Breached
- Everyone’s Social Security Number Has Been Compromised. Here’s How To Protect Yourself.