DoorDash has sent a message to its users announcing a major security breach that affected 4.9 million users after an unauthorized third party accessed user data on May 4, 2019.
In an email alert to affected users, DoorDash said that “we became aware of unusual activity involving a third-party service provider. We immediately launched an investigation and outside security experts were engaged to assess what occurred.” DoorDash further said that after identifying the culprit, they took immediate steps to “block the unauthorized user” and “enhanced security” across their platform.
The data from affected users that could have been stolen includes:
- Profile information (name, delivery address, order history, phone number, and “hashed” passwords)
- Last four digits of consumer credit cards (though the third party hackers did not have access to full credit card numbers)
- Last four digits of bank account numbers (Again, full information was not accessed by the third party breach)
- Driver’s license numbers (this only affected 100,000 users)
“We have taken a number of additional steps to further secure your data, which include adding additional protective security layers around the data, improving security protocols that govern access to our systems, and bringing in outside expertise to increase our ability to identify and repel threats,” DoorDash said in a statement on its website.
The company suggests that users immediately reset their DoorDash passwords, or passwords to other accounts if the same password was used for multiple accounts. Users who joined after April 5, 2018 are not affected by the breach.
DoorDash responded to the incident as soon as information become available.
“We became aware of the unusual activity earlier this month in September and we immediately launched an investigation,” a representative with DoorDash told Nation's Restaurant News. “That investigation enabled us to determine that on May 4, 2019 an unauthorized third party accessed some DoorDash user data. We took immediate steps to block further access by the unauthorized user and to enhance security across our platform. We are reaching out directly to affected users.”
A company spokesperson also clarified that they will be “improving security protocols that govern access to our systems, and bringing in outside expertise to increase our ability to identify and repel threats” to prevent future data breaches.
Update, Sept. 27, 2019: This story has been updated to reflect DoorDash's statement.
Contact Joanna Fantozzi at [email protected]
Follow her on Twitter: @joannafantozzi