DoorDash announced in a blog post on Thursday that an “unauthorized third party” accessed user data in early May.
In the blog post, DoorDash noted that not every customer was affected by the data breach. Users who joined the food delivery service after April 5, 2018, were not affected. Despite this, approximately “4.9 million consumers, Dashers, and merchants” were affected.
DoorDash breach: What information was accessed?
Information accessed in the breach could include “names, email addresses, delivery addresses, order history, phone numbers, as well as hashed, salted passwords,” according to the post. Approximately 100,000 Dashers, or those employees who deliver food for the company, had their driver’s license numbers accessed as well. The last four digits of some customers credit cards were included in the breach, though the company stated that the information accessed was not enough to “make fraudulent charges on your payment card.”
The last four digits of some Dasher and merchant bank accounts were also accessed. Again, the company claimed that the information gained in the breach was not enough to “make fraudulent withdrawals” from user bank accounts. Despite the breach occurring in May, it was only discovered by DoorDash following an investigation launched earlier this month. The investigation was into “unusual activity involving a third-party service provider.”
DoorDash next steps
In response to the breach, DoorDash is taking steps to secure user data. The company will add additional security measures, improve security protocols, and seek help from outside security experts to “identify and repel threats.” Despite believing that account passwords were not compromised, DoorDash recommended that users change passwords out of “an abundance of caution.”
The company plans to reach out to affected customers over the course of the next several days. It also set up a call center where concerned customers can get answers to their questions, at (855) 646-4683. The news comes a year after DoorDash customers reported hacked accounts. The company denied any hack, but provided no explanation for how accounts were accessed.
READ MORE:
H/T TechCrunch