“Earlier this month, we became aware of unusual activity involving a third-party service provider,” the company wrote in a blog post. “We immediately launched an investigation, and outside security experts were engaged to assess what occurred. We were subsequently able to determine that an unauthorized third party accessed some DoorDash user data on May 4, 2019. We took immediate steps to block further access by the unauthorized third party and to enhance security across our platform. We are reaching out directly to affected users.”
It’s unknown why it took DoorDash five months to detect the breach, which impacted around 4.9 million consumers, Dashers (delivery workers), and merchants who joined the platform on or before April 5, 2018. Those affected had their names, email and delivery addresses, order histories, phone numbers and hashed and salted passwords stolen.
For some, the last four digits of their payment cards were taken. However, the company said full credit card information, including complete card numbers or CVVs, was not accessed, and the information taken is not enough to make fraudulent charges on a payment card.
In addition, around 100,000 delivery workers also had their driver’s license information stolen in the breach.
“We have taken a number of additional steps to further secure your data, which include adding additional protective security layers around the data, improving security protocols that govern access to our systems, and bringing in outside expertise to increase our ability to identify and repel threats,” the company added.
The news comes after DoorDash customers complained last year that their accounts had been hacked, which the company denied, according to TechCrunch. Instead, DoorDash claimed attackers were running credential stuffing attacks in which hackers take lists of stolen usernames and passwords and use them on other sites that use the same passwords. Many customers, however, pointed out that their passwords were unique to DoorDash.