DoorDash confirmed about a data breach in a blog post where around 4.9 million user’s data have been accessed by an unauthorised third-party.
The breach which occurred in May 2019 affected the customers, drivers, and merchants who joined the DoorDash platform on or before 5 April 2018. However, users who joined after 5 April 2018 were not impacted by the breach.
DoorDash which is a food delivery company, came to know about the unauthorized activity after five months when they became aware of a suspicious activity from a third-party service provider.
The breached data includes profile information, such as names, email addresses, delivery addresses, order history, phone numbers, as well as hashed, salted passwords.
The last four digits of customer payment cards may also have been exposed. But DoorDash assures that full credit card information like the complete card numbers or a CVV was not accessed.
Similarly, even though the last four digits of bank account numbers for some drivers and merchants may have been exposed the full bank account information was not accessed.
DoorDash stated that the accessed information is not enough for an attacker to perform fraudulent activities on the bank accounts.
The driver’s license numbers of around 100,000 of the company’s drivers were also accessed.
After being aware of the breach, DoorDash has increased their security measures and has taken steps to block access by the unauthorised user. The measures taken include adding additional protective security layers around the data, improving security protocols, and hiring external experts to identify and prevent any threats.
The company has contacted the affected customers already. Even though the user passwords have not been compromised the company recommends the users to change them as a precautionary measure.