DoorDash has announced it has suffered a massive data breach, involving the personal information of 4.9 million customers.

In a blog posted to its site, DoorDash claims they became aware of unusual activity involving a third-party service provider. "We immediately launched an investigation and outside security experts were engaged to assess what occurred. We were subsequently able to determine that an unauthorized third party accessed some DoorDash user data on May 4, 2019. We took immediate steps to block further access by the unauthorized third party and to enhance security across our platform. We are reaching out directly to affected users," says the blog. 

Who was affected and what data was accessed?

Not every user was affected. Approximately 4.9 million consumers, users and merchants who joined the platform on or before April 5, 2018, are affected. Users who joined after April 5, 2018 are not affected, says the blog. The type of user data accessed could include:

  • Profile information including names, email addresses, delivery addresses, order history, phone numbers, as well as hashed, salted passwords. 
  • For some consumers, the last four digits of consumer payment cards. Full credit card information such as full payment card numbers or a CVV was not accessed, claims the blog. 
  • For some users and merchants, the last four digits of their bank account number. 
  • For approximately 100,000 users, their driver’s license numbers were also accessed.

What steps has DoorDash taken?

"We have taken a number of additional steps to further secure your data, which include adding additional protective security layers around the data, improving security protocols that govern access to our systems, and bringing in outside expertise to increase our ability to identify and repel threats. We are reaching out directly to affected users with specific information about what was accessed. We do not believe that user passwords have been compromised, but out of an abundance of caution, we are encouraging all of those affected to reset their passwords to one that is unique to DoorDash," says the blog.