DoorDash says 4.9 million affected in third-party data breach

Online delivery service DoorDash announced that 4.9 million customers, Dashers and merchants were affected by a data breach Thursday.

DoorDash announced the breach, stating that earlier in September it became aware of unusual activity involving a third-party service.

After launching an investigation with “outside security experts,” the company learned that an “unauthorized third-party” accessed user data on May 4, 2019.

About 4.9 million people, a number that includes customers, the delivery service members and restaurants connected with DoorDash on or before April 4, 2018, had information compromised, according to the company.

DoorDash said anyone who joined anytime after that date were not involved in the breach.

The company said customer profile information such as names, emails, physical addresses, order history and phone numbers were taken. Hashed and salted passwords were also taken, but DoorDash said that they were rendered indecipherable to third parties.

Some customers also had the last four digits of their cards taken, but not the full information, according to DoorDash. The same happened for bank account numbers linked to Dashers and merchants.

About 100,000 Dashers also had their driver’s license numbers accessed, according to DoorDash.

“We deeply regret the frustration and inconvenience that this may cause you. Every member of the DoorDash community is important to us and we want to assure you that we value your security and privacy,” the company said.

It encouraged people to change the password on their accounts as a precaution.