DoorDash Data Breach Affects 4.9M Customers, Drivers, Merchants
The breach included the driver’s license numbers of approximately 100,000 delivery drivers.
Food delivery startup DoorDash reported on Thursday that a data breach this past May may have affected nearly 5 million of its customers, delivery drivers and merchants.
The San Francisco-based company said in a blog post that earlier this month DoorDash “became aware of unusual activity involving a third-party service provider.” After the firm launched an investigation and hired outside security experts, “we were subsequently able to determine that an unauthorized third party accessed some DoorDash user data on May 4, 2019.”
DoorDash said it took “immediate steps” to block further access by the “unauthorized third party and to enhance security across our platform.” The company said it was reaching out directly to affected users.
DoorDash said approximately 4.9 million consumers, delivery drivers and merchants who joined the platform on or before April 5, 2018, were affected. Users who joined after April 5, 2018 are not affected, the company said.
The firm said that the data could include “profile information including names, email addresses, delivery addresses, order history, phone numbers, as well as hashed, salted passwords — a form of rendering the actual password indecipherable to third parties.”
DoorDash said that for some consumers, the last four digits of consumer payment cards. “However, full credit card information such as full payment card numbers or a CVV was not accessed. The information accessed is not sufficient to make fraudulent charges on your payment card,” the company said.
The firm also said that for some DoorDash workers and merchants, the last four digits of their bank account number could have been accessed. “However, full bank account information was not accessed. The information accessed is not sufficient to make fraudulent withdrawals from your bank account.” The breach also included the driver’s license numbers of approximately 100,000 delivery drivers.
DoorDash said it “took immediate steps to block further access by the unauthorized user and to enhance security across our platform. These steps include adding additional protective security layers around the data, improving security protocols that govern access to our systems, and bringing in outside expertise to increase our ability to identify and repel threats.”
DoorDash, founded in 2013, has raised a total of $2 billion in funding, according to Crunchbase.