Food delivery company DoorDash has confirmed it has suffered a data breach that has affected 4.9 million customers, delivery workers and merchants, all of whom have had their information stolen.
The company stated in a blog post that, on May 4th, 2019, “an unauthorized third party accessed some DoorDash user data“. It added that as soon as it was made aware of the breach, DoorDash took steps to block any further access from this unauthorized third party and enhanced its security all across the platform. In the meantime, it has been reaching out to the users who have been affected by the breach.
The users who have joined DoorDash on or before April 5th, 2018 have been affected but those who joined after that date can rest assured that their information is safe.
According to DoorDash, the information that was accessed by the hackers could include profile information such as names, e-mail addresses, phone number and hashed salted password included.
Some customers might have had the last four digits of their consumer payment cards visible as well but DoorDash insists that “full credit card information such as full payment card numbers or a CVV was not accessed” and that the “information accessed is not sufficient to make fraudulent charges on your payment card.”
Dashers and merchants might have suffered the same situation concerning their bank account numbers but for the Dashers the situation is a bit different as approximately 100,000 of them have had their driver’s license numbers accessed.
DoorDash stated that it has added some extra security layers that should protect user data and, in addition to that, it has also worked on improving the security protocols that allow others to access its systems.
It’s worth mentioning that, exactly one year ago, on September 26th, the company received a number of complaints from its customers via Twitter. They stated that their accounts had been accessed by a third party and fraudulent food deliveries had been charged to their accounts.
At the time, the company vehemently denied it has recorded any kind of data breach.