It’s the digital security training team at Freedom of the Press Foundation (FPF), with security news that keeps you, your sources, and your devices safe. If someone shared this newsletter with you, please subscribe here.
Social engineering scam leads to DoorDash data breach
DoorDash announced last week that an unauthorized third party (read: hackers) gained access to the personal information of a subset of its customers, delivery workers, and merchants. The cause? An employee was successfully targeted by a social engineering scam. While DoorDash stated that no “sensitive” information, such as social security or credit card numbers, was accessed, the breach did include names, phone numbers, email addresses, and physical addresses.
Unfortunately, these sorts of data breaches are far from rare. In fact, just a few days ago, Princeton University shared that attackers were able to gain access to a database containing “personal information such as names, email addresses, telephone numbers, and home and business addresses” of “alumni, donors, faculty, students, parents, and other members of the University community.” Similar to the DoorDash breach, the database was accessed after hackers successfully targeted a university employee in a phishing attack.
What you can do
- Be mindful of what data you provide to vendors. Data breaches are an unfortunate fact of life these days. While we can’t always control the security of the apps and services we use, we can control some of the data that we provide to them. In the case of an app like DoorDash, consider signing up with an alternate name, a secondary email address, and a Google Voice number. The goal here isn’t complete anonymity, but providing alternate contact information, for example, can reduce the impact of a service being hacked.
- Check to see what information of yours is out there. Data breaches like these can lead to our personal information ending up in various places online. If you’re concerned about certain information — say, your address — being publicly available online, it’s a good idea to check every so often to see how easily (if at all) that info can be found on the internet. A guide to doxxing yourself on the internet from NYT Open’s “How to Dox Yourself on the Internet” series is a great resource to help you get started with that.
- Take steps to scrub your sensitive information from the internet. If your personal information, like a phone number, email address, or physical address, ends up in search results, both Google and Bing have forms that allow you to request the information be delisted. Personal data can also end up on data broker sites. Check out our guidance for dealing with data brokers, including using opt-out services and manually requesting data removals, here.
- Regularly check for your exposure to data breaches. In both of these examples, the targeted organization notified impacted users that their data was potentially exposed. Unfortunately, this doesn’t always happen. While it doesn’t cover everything, it’s a good idea to regularly check the website Have I Been Pwned to see whether any accounts associated with your email addresses have been exposed.
Our team is always ready to assist journalists with digital security concerns. Reach out here, and stay safe and secure out there.
Best,
Evan
-
Evan Summers
Senior Digital Security Trainer
Freedom of the Press Foundation
