If you signed up for DoorDash before April 5, your personal information may have been compromised. The food delivery service reports a data breach that may affect as many as 4.9 million consumers.
In a blog post, the company said that in addition to customers, delivery personnel and restaurants may have been affected by the breach.
Company officials say the breach apparently occurred on May 4 of this year, but it was not discovered until nearly four months later. The company pins the blame on a third-party service provider but DoorDash declined to name the company.
“Earlier this month, we became aware of unusual activity involving a third-party service provider,” the company said in its blog post. “We immediately launched an investigation and outside security experts were engaged to assess what occurred.”
The investigation revealed that an “unauthorized third party” accessed some DoorDash user data on May 4, 2019.
“We took immediate steps to block further access by the unauthorized third party and to enhance security across our platform. We are reaching out directly to affected users,” the company said.
What the hackers got
The company believes the hackers gained access to customer profile information that includes names, email addresses, delivery addresses, order history, phone numbers, as well as hashed, salted passwords — a form of rendering the actual password indecipherable to third parties.
It does not appear the hackers got away with customers’ credit card data. The company says in some cases the hackers may have gotten the last four digits of credit cards, but not the full number nor the CVV number, which is often required to make an online purchase.
For about 100,000 delivery personnel, the company says hackers may have gained access to their driver’s license numbers.
If your information was compromised expect to receive contact from DoorDash in the near future. The company said it is reaching out to those affected with instructions about what they should do.
While it is not believed passwords were compromised in the breach DoorDash says it may be prudent for those affected by the breach to reset their passwords.