In late September, Doordash – the food delivery startup recently valued at $7 billion – announced that it had been hacked.
Well, not exactly Doordash. Rather, hackers breached one of the company's vendors; the vendor's breach, in turn, compromised millions of users on the Doordash platform.
When was the vendor breached? In May.
For six months, millions of Doordash users did not know that their driver's license numbers, credit cards, and personal information had been compromised:
Approximately 4.9 million consumers, Dashers, and merchants who joined our platform on or before April 5, 2018, are affected.
And herein lies one of the central paradoxes of modern technology. We love it when our digital lives are seamlessly integrated. We love to connect one app to another app. We love when Slack syncs with Dropbox or when we can pay for something on one app but have it delivered through a different app.
Each connection is at once an additional point of convenience and a ripe target for compromise.
The military uses a term called “attack area.” The larger the target's attack area, the harder it is to protect, and the more vulnerable it is to compromise. It’s easy to protect a small attack area, but much harder to protect a larger attack area. The same concept applies to technology.
Doordash needs to do much more than to protect itself. It needs to protect its internal systems — plus the nearly unlimited attack area of all its partners, vendors, and providers. From a security perspective, this is a nightmarish scenario.
Just as Doordash relies on its partners, we rely on Doordash and other technologies we use to make our lives easier. But fast deliveries come at a price that can be measured and cost that cannot.
In addition to changing passwords and other standard how-tos, good cyber hygiene would focus on minimizing our attack area. Limiting our social networks or food delivery apps may be a nuisance, but the cost of not doing so can be measured in non-leaked nudies or peace of mind.