DoorDash, a San Francisco-based food-delivery service provider, revealed a massive data breach that affected around 4.9 million people (its customers, delivery workers, and merchants), who were using its service platform.
In an official statement, the company said that an unauthorized third-party accessed its user data on May 4, 2019. DoorDash clarified that users who joined its services platform on or before April 5, 2018, are affected in the incident and who joined after April 5, 2018, aren’t.
“Earlier this month, we became aware of unusual activity involving a third-party service provider. We immediately launched an investigation and outside security experts were engaged to assess what occurred. We were subsequently able to determine that an unauthorized third party accessed some DoorDash user data on May 4, 2019. We took immediate steps to block further access by the unauthorized third party and to enhance security across our platform. We are reaching out directly to affected users,” DoorDash said in a post.
According to DoorDash, the exposed information included customers’ names, email addresses, delivery addresses, contact details, order history, card details, phone numbers, and hashed passwords.
Hackers took the last four digits of the customers’ payment cards, though complete numbers and CVVs were not taken. In case of delivery workers and merchants, attackers had the last four digits of their bank account numbers stolen along with the card details. Nearly, one lakh delivery workers’ license information was stolen in the incident.
“We have taken a number of additional steps to further secure your data, which include adding additional protective security layers around the data, improving security protocols that govern access to our systems, and bringing in outside expertise to increase our ability to identify and repel threats,” DoorDash added.
The news comes after DoorDash customers reported that their accounts had been hacked. But the company denied at that time claiming that attackers were running credential stuffing attacks.