Hey Doordash: Why Are You Hiding Your 'Security Notice' From Google Just Days After You Revealed A Massive Security Breach?
from the questions,-questions dept
As you might have heard, late last week, delivery company DoorDash admitted via a Medium post that there had been a large data breach exposing info on 4.9 million users of the service. The breach had actually happened months earlier, but was only just discovered earlier this month.
We take the security of our community very seriously. Earlier this month, we became aware of unusual activity involving a third-party service provider. We immediately launched an investigation and outside security experts were engaged to assess what occurred. We were subsequently able to determine that an unauthorized third party accessed some DoorDash user data on May 4, 2019. We took immediate steps to block further access by the unauthorized third party and to enhance security across our platform. We are reaching out directly to affected users.
The information accessed included names, emails, delivery addresses, order histories and phone numbers. Salted and hashed passwords were accessible too, but assuming Doordash didn’t mess up the salting/hashing, those should still be safe. Some customers also had the last four digits of their credit cards revealed.
All in all a somewhat typical breach that happens these days. However, as TechCrunch cybersecurity reporter Zack Whittaker noticed, somewhere right around the time the breach went up, DoorDash told Google to stop indexing its “SecurityNotices” page via robots.text.
You know what's really weird? @DoorDash has no mention of its massive data breach on its homepage. There's nothing on its Twitter or Facebook page, either.
What's also weird is DoorDash's robots file hides "/securitynotice" from Google, so people can't even search for it. pic.twitter.com/m81Geafxnz
— Zack Whittaker (@zackwhittaker) September 27, 2019
He also notes that DoorDash doesn’t seem to be going out of its way to alert people to the breach — pointing out that there’s nothing on DoorDash’s front page, or on its various social media accounts. Just the blog post on Medium (and, if I’m not mistaken, Medium posts can end up behind a paywall in lots of cases). That’s pretty lame. My guess is that since DoorDash says it’s “contacting” customers impacted by the breach, it felt it didn’t need to do wider outreach. But… that seems like a huge cop out. Notifying people of such a breach is kind of important.
And, also, yanking your “securitynotices” directory from Google (even if it currently appears blank) seems super suspicious. Why do that except to hide information from people searching for info about your security issues? A breach of this nature is bad, but it happens to so many companies these days that I don’t think this kind of breach leads to much trust lost from customers. However, proactively trying to keep things quiet about this… well… that’s the kind of thing that raises eyebrows and destroys trust.
Of course, in a bit of perfect timing to distract from all of this, DoorDash happily announced today that it’s now delivering for McDonald’s, so get your Big Macs quick and ignore any lingering concerns about security…
Filed Under: breach notification, robots.txt, security, security breaches
Companies: doordash
Comments on “Hey Doordash: Why Are You Hiding Your 'Security Notice' From Google Just Days After You Revealed A Massive Security Breach?”
What is "Because there is no actual penalty for hiding it"?
Oooh the daily double
Re: Re:
I will take corporate cop-outs for 1000 please.
'Nothing to see here, move along...'
Even if everything is above-board and it was an honest mistake that they handled responsibly taking active measures to hide information like this is just all sorts of stupid, as true or not it makes it look like they very much have something to hide.
If they’re trying to maintain a good image of caring about security and handling it well this is about the worst thing they could have done, and whoever made that choice really needs to be given the boot before they dig even deeper and torpedo the company’s image even more.
Hey, at least we have an example of a company actually using the tools provided to them, rather than screaming at the courts about how Google should be forced to admin their sites for them. I mean, robots.txt has only been around for a few decades, it’s about time people started using it. Even if used for evil, there’s at least a verifiable trail.
This could only be improved if DoorDash had chosen to DMCA Google for daring to list their security notices page, then declare that "copyright law is the only way we have to effectively manage this issue".
Insiurance
What I think is funny, is that door dashes insurance documents are not readily available through the driver app. This should be available at all times to all drivers. Furthermore, they have never asked me wants to upload my personal insurance documents. Nor will they ever. What is up with that?
so get your Big Macs quick and ignore any lingering concerns about security…
I appreciate you ending sentences most of the time. They are meant to make us think, or sometimes imply guilt. This one, however; is comical. I would put the national average of 1 in 100 cares about data security. For the crowd that is too lazy to go to McDonald’s I would move that number to 1 in 1,000,000. If people were so concerned with security all these smart speakers would not be a runaway success.
looks like they may have updated it already...
current listing: https://www.doordash.com/robots.txt
User-agent: *
Disallow: /store/so-much-maple-juneau-19113/
Disallow: /orders/
Disallow: /orders/track/*
Disallow: /order_history/
Disallow: /sv/
Allow: /consumer/login/
Allow: /consumer/invite/
Disallow: /consumer/
Allow: /dasher/signup/$
Disallow: /dasher/signup/*
Disallow: /dasher/application*
Disallow: /apply/*
Disallow: /qr-code/*
Disallow: /merchant/applyV2/*
Disallow: /securitynotice
Allow: *.js
Allow: *.css
looks like they may have updated it already...
current listing: https://www.doordash.com/robots.txt
User-agent: *
Disallow: /store/so-much-maple-juneau-19113/
Disallow: /orders/
Disallow: /orders/track/*
Disallow: /order_history/
Disallow: /sv/
Allow: /consumer/login/
Allow: /consumer/invite/
Disallow: /consumer/
Allow: /dasher/signup/$
Disallow: /dasher/signup/*
Disallow: /dasher/application*
Disallow: /apply/*
Disallow: /qr-code/*
Disallow: /merchant/applyV2/*
Disallow: /securitynotice
Allow: *.js
Allow: *.css
And that should be fine.
Techdirt usually goes out of its way to point out that robots.txt has existed for a really long time and if news sites don’t want to be indexed by Google (and others) without receiving compensation, then they can simply update their robots.txt file(s).
It’s a bit hypocritical of you all to start complaining when a company actually does what you suggest to minimize the spread of an article they probably don’t want indexed.
Re: And that should be fine.
"It’s a bit hypocritical of you all to start complaining when a company actually does what you suggest’
It’s really not, unless you think that the same tool being used in both instances makes them the same. In one instance people are refusing to use the tool despite it achieving what they claim to want. In the other, they’re using the tool in order to try and hide wrongdoing.
There’s no overlap, apart from the tool being the same. If I say someone should use a screwdriver to undo some screws on their property themselves, then later see someone else trying to prize open a car door with the same type of screwdriver, I’m not being hypocritical over screwdriver usage.
Re: Re: And that should be fine.
Yeah, it’s pretty shitfaced to compare news sites refusing to use robots.txt to avoid getting indexed by Google to a company using robots.txt to hide security risk information. Almost like this chucklenut has a vested interest in the usage…
Re: And that should be fine.
Your confusion is noted but is obviously disingenuous.
Re: And that should be fine.
Techdirt says that it’s fine generally for copyright and trademark issues and compensation, sure. That’s a legal issue that’s pretty broad.
This isn’t a legal issue; no one here is saying that this is or ought to be illegal. We’re just saying that, in this particular instance, it’s really shady and probably unethical or immoral. That’s completely different. Hiding your security notices from Google is perfectly legal AFAIK, but it makes you suspicious as hell.
There are perfectly good reasons to hide some things from Google, like private information or personal documents in the cloud. It’s also fine, though not so sensible, to hide things in a vain and likely counterproductive attempt to protect your copyright or to spitefully keep Google from “profiting off your work”. This is not one of those cases.