/ This Week in Data Breaches

This Week in Data Breaches: 100k Driver’s License Numbers Exposed in DoorDash Data Breach

Welcome to our round-up of the latest data breaches, leaks, and privacy intrusions. This week: 100,000 driver’s licenses stolen in DoorDash data breach, 218 million Words With Friends accounts compromised, and 8 government billing portals hacked.

DoorDash Data Breach Exposed Personal Information of 4.9 Customers

Late last week, food delivery company DoorDash confirmed that 4.9 million consumers, Dashers, and merchants had their account information stolen in a data breach that occurred in May. The company said that the stolen data included profile information such as names, email addresses, delivery addresses, order history, phone numbers, and hashed, salted passwords.

Approximately 100,000 driver’s license numbers were exposed in the breach. Some users also had the last four digits of their credit card numbers stolen, while some Dashers and merchants had the last four digits of their bank account numbers stolen.

All of the affected consumers, Dashers, and merchants joined the platform on or before April 5, 2018. Those who joined after April 5, 2018 are not affected. DoorDash is sending out email notices to those affected. If you believe you were affected by the breach, you should reset your password.

In a statement, DoorDash said, “Earlier this month, we became aware of unusual activity involving a third-party service provider. We immediately launched an investigation and outside security experts were engaged to assess what occurred. We were subsequently able to determine that an unauthorized third party accessed some DoorDash user data on May 4, 2019.”

DoorDash is already facing questions about why it took more than 5 months for the breach to be detected. It is unclear if the breach is related to reports last year of dozens of users complaining that their DoorDash accounts had been hacked and fraudulently charged for deliveries. Some of the affected users had passwords that were unique to DoorDash, making a credential stuffing attack unlikely, as the company claimed at the time.

218 Million Words With Friends Accounts Compromised in Massive Data Breach

More than 200 million Words With Friends users had their account information stolen, according to Hacker News. The apps’ publisher, Zynga, confirmed that it suffered a data breach in early September. The alleged hacker told Hacker News that the breach affected all Android and iOS users who signed up for Words With Friends on or before September 2.

In a statement, Zynga said, “We have identified account login information for certain players of Draw Something and Words With Friends that may have been accessed.  As a precaution, we have taken steps to protect these users’ accounts from invalid logins.  We plan to further notify players as the investigation proceeds.”

According to Hacker News, the breach included names, email addresses, login IDs, Facebook IDs, phone numbers, hashed passwords, password reset tokens, and Zynga account IDs. Zynga said that no financial information was compromised. The same hacker previously attempted to sell the data of 839 million accounts stolen from 32 separate websites on the dark web marketplace Dream Market in February.

8 Click2Gov Billing Portals Hacked, 20k Payment Cards Compromised

Click2Gov bill-payment portals in 8 cities were hit by hackers in a wave of attacks beginning in August, Wired reported. Click2Gov’s self-service bill-payment portals are used by utility companies, cities, and community-development organizations around the country to provide customers with bill and ticket payment services.

More than 20,000 records from the attacks are already up for sale on dark web forums and marketplaces. According to security researchers, payment cards belonging to people from all 50 states were compromised. Affected cities include: Deerfield Beach, Florida; Palm Bay, Florida; Milton, Florida; Bakersfield, California; Coral Springs, Florida; Pocatello, Idaho; Broken Arrow, Oklahoma; Ames, Iowa.

The latest attacks follow a previous wave that occurred in December 2018, which compromised 300,000 payment cards from dozens of cities in the US and Canada. That wave was estimated to have generated over $1.9 million in fraud, a highly lucrative endeavor that probably made the portals even more of a target. Following that first wave, Click2Gov rolled out patches for known vulnerabilities. All of the latest victims were running these updated systems, yet were still compromised.

Tip of the Week

We often hear from readers who want to know how they can protect themselves online amidst all of these data breaches. Knowing where to start can be difficult, so each week we will be sharing a new tip to help you safeguard your data and protect your privacy online. Last week’s tip: lock down and protect your accounts with a password manager.

This week, use two-factor authentication to further secure your accounts.

Two-factor authentication (2FA) is an extra layer of security used to make sure that the person who is trying to get access to an account is who they say they are. Along with a traditional password, two-factor authentication also requires you to enter an additional piece of information to authenticate your identity, usually a unique one-time passcode sent via SMS or a software token generated by an authentication app.

Two-factor authentication makes it much harder for hackers and identity thieves to get unauthorized access to your online accounts. So even if a password to one of your accounts is stolen or leaked, thieves won't be able to gain access to your account.

Make sure to go through all of your online accounts and turn on two-factor authentication for the ones that support it. For help finding which sites support 2FA, check out TwoFactorAuth.org.

While SMS-based 2FA is still far more secure than simply using a password and can be safely used for low-risk accounts that don't contain sensitive personal information, SMS codes are vulnerable to interception. It is recommended that you use a dedicated authentication app to generate codes for 2FA when available.

There are quite a few free 2FA apps available for download on mobile, such as Authy or Google Authenticator. Once you have downloaded and installed a 2FA app, you can then use it to generate 2FA codes for all your online accounts that support it.

Want to learn more? Check out our in-depth security and privacy guides:

Bloom: Take Back Control of Your Data

At Bloom, we are giving you the tools to take back control of your data. No more centralized data storage. No more selling off your data to the highest bidder. No more risking identity theft. Bloom enables you to own, control, and protect your data using the latest advancements in blockchain technology.

It’s time to take back control of your data and unlock the power of a secure, reusable identity today. Download the Bloom mobile app to build a cryptographically secure identity and get free data breach alerts with Radar!