DoorDash has announced that the personal data of 4.9 million people on its platform—including customers, dashers, and its merchants—has been compromised in a security breach. Now is a good time to change your password.
DoorDash announced the breach Thursday in a blog post. DoorDash said it initially noticed “unusual activity involving a third-party service provider” earlier this month, at which time it says it launched an investigation into the incident. The company said that its probe, which involved outside experts in security, found that the third-party accessed user data on May 4.
DoorDash said that while not everyone on its platform was affected in the incident, the 4.9 million people who may be impacted by the breach joined on or before April 5, 2018. (If you joined after that, DoorDash says you’re in the clear.)
That exposed data includes profile names, phone numbers, emails, delivery address (which would likely include home and work addresses), order history, and hashed passwords. Some 100,000 dashers had their driver’s license numbers exposed in the breach, and DoorDash says that the exposed data of some platform users included the last four digits of their bank account (dashers and merchants) or credit cards on file (customers).
DoorDash said that it’s currently in the process of notifying affected parties. One current worker who received such an email from DoorDash and shared that correspondence with Gizmodo was informed that “we believe that some of your DoorDash user account information has been accessed.” Beyond that, however, the email included nearly identical language to what was published in the company’s public-facing blog.
In both the email and in the company’s notice, DoorDash said that while it doesn’t think that user passwords have been compromised, it is “out of an abundance of caution” encouraging concerned users or those who believe they may have been affected to change their passwords.
DoorDash stated that while it doesn’t think the bank information exposed would be enough to allow a bad actor to make fraudulent charges or withdrawals, taken together with the other compromised data, it’s probably a good idea to keep an eye on your bank account as well if you believe you’ve been affected.
“We took immediate steps to block further access by the unauthorized user and to enhance security across our platform,” the company said. “These steps include adding additional protective security layers around the data, improving security protocols that govern access to our systems, and bringing in outside expertise to increase our ability to identify and repel threats.”