DoorDash, a food delivery app, announced in a blog post on Thursday that an “unauthorized third party” had accessed its user data. The company claimed that the breach affected 4.9 million “consumers, dashers, and merchants.” DoorDash said names, email addresses, delivery addresses, order histories, phone numbers, and hashed, salted passwords could have been accessed. It’s not yet clear what might have been done with the data by the third party.
DoorDash also said that for some consumers, the last four digits of payment cards were accessed, but full card numbers and CCV numbers were not. In addition, some couriers and merchants also had the last four digits of their bank account numbers accessed. Approximately 100,000 of the company’s delivery workers had their driver’s licenses compromised as well.
DoorDash said the data was accessed on May 4th, but the company did not discover the breach until sometime after it began an investigation earlier this month of unusual activity involving a third-party service provider. The company is informing customers affected by the breach now. The breach is believed to have primarily targeted DoorDash users who signed up on or before April 5th, 2018. The company, however, recommends changing your password regardless of when you signed up.
The breach comes about a year after some DoorDash customers said their accounts had been hacked, but DoorDash told TechCrunch at the time that there had not been a data breach.