DoorDash on Thursday said that a data breach has compromised the information of 4.9 million customers, drivers and merchants who used the company’s food ordering platform before April 5, 2018.
In a blog post, the company said that it became aware of some “unusual activity” earlier this month involving a “third-party service provider.”
The company said that an investigation determined that an “unauthorized third party” accessed user data on May 4 this year. DoorDash said it is reaching out to users affected by the breach.
The company said that users who joined the platform after April 5, 2018, are not affected. Information accessed included profile information, such as email and delivery addresses and order history as well as “salted passwords” that it says are indecipherable to third parties.
Hackers also accessed the last four digits of consumers’ payment cards, though not the full card number or CVV. They also accessed the last four digits of bank account information for merchants on the service and some drivers.
The driver's license numbers of about 100,000 drivers were accessed.
The company said that it has taken steps to secure data and urged those affected by the breach to change their passwords.
Nevertheless, it’s the first major data breach acknowledged by one of the larger providers of third-party delivery services. It comes at a crucial time for the service, which continues to gain users as consumers increasingly order their food delivered or for takeout.
DoorDash has been one of the fastest-growing players in the field, winning the rights to deliver food for chains such as Chipotle Mexican Grill and, more recently, McDonald’s.
Members help make our journalism possible. Become a Restaurant Business member today and unlock exclusive benefits, including unlimited access to all of our content. Sign up here.