DoorDash, the popular food delivery service, revealed on Thursday that approximately 4.9 million of its users had their personal data exposed in a data breach to an “unauthorized third party.” DoorDash said names, email addresses, delivery addresses, order histories and phone numbers of consumers, delivery workers, and merchants were stolen by hackers. Approximately 100,000 of the company’s delivery workers had their driver’s licenses compromised as well.
Sensitive financial information like the last four digits of credit card and bank account numbers, as well as “hashed, salted passwords”, were also exposed in the breach. Full card numbers, CCV numbers, and bank account numbers, were not, though. DoorDash says the leaked information is not enough to make fraudulent purchases.
The breach took place on May 4, but DoorDash officials didn’t learn of it until earlier this month. It’s unclear who accessed the data, but the breach only covered people who had joined the platform before April 5, 2018. Users who joined DoorDash after April 5, 2018, are not affected, DoorDash assured through the blog post.
The 4.9 million figure makes up only a portion of users who joined the platform on or before that date. DoorDash says it’s in the process of directly notifying those affected. And while actual user passwords were not compromised, the company still recommends everyone to change their password regardless of when they signed up, “out of an abundance of caution”.
Change password now
DoorDash says it has taken immediate steps to “block further access by the unauthorized third party”. The company has also tightened data security by adding additional protective security layers and improving security protocols. However, the worst has already happened and the least you can do is change your password right away.
This is not the first such instance where DoorDash users’ personal information has been compromised. According to TechCrunch, some DoorDash users had complained last year that their accounts have been hacked. The company had denied a data breach at that time.
However, a comment on DoorDash’s blog post suggests that some kind of data breach had indeed happened. Apparently, unauthorized purchases were made through the hacked accounts, and DoorDash’s only solution was a full refund of the purchase amount. DoorDash also appears to be guilty of not processing user requests to delete their accounts.
DoorDash said people can call 855–646–4683 with questions.