Personal info on nearly 5 million DoorDash users, drivers, and merchants exposed

Driver’s licence numbers of approximately 100,000 ‘Dashers’ were also accessed.

Personal info on nearly 5 million DoorDash users, drivers, and merchants exposed Driver’s licence numbers of approximately 100,000 ‘Dashers’ were also accessed.

DoorDash confirmed in a blog post on Thursday it has had data on 4.9 million users accessed by an unauthorised third-party.

The breach occurred on 4 May 2019 and affected customers, drivers, and merchants who joined the DoorDash platform on or before 5 April 2018. Users who joined after 5 April 2018 were not affected, the company said.

It took DoorDash five months to become aware of the unauthorised activity. The food delivery company said it became aware of suspicious activity from a third-party service provider earlier this month.

The compromised data includes profile information, such as names, email addresses, delivery addresses, order history, phone numbers, as well as hashed, salted passwords, which DoorDash said means the actual password is indecipherable to third parties.

The last four digits of customer payment cards may also have been exposed. However, DoorDash said full credit card information such as complete card numbers or a CVV was not accessed.

The last four digits of bank account numbers for some drivers and merchants may also have been exposed, but full bank account information was not accessed. 

DoorDash said the accessed information is not sufficient enough for someone to make fraudulent purchases or bank withdrawals.  

Around 100,000 of the company's drivers also had their driver's license numbers accessed.

Since discovering the breach, DoorDash said it has taken steps to block access by the unauthorised user and enhance security across the platform. These steps include adding additional protective security layers around the data, improving security protocols, and hiring external experts to identify and repel threats.

It has also reached out to those that have been affected.

The company added that while it does not think passwords have been compromised, it is encouraging users to change them as a precautionary measure.

"We deeply regret the frustration and inconvenience that this may cause you. Every member of the DoorDash community is important to us, and we want to assure you that we value your security and privacy," DoorDash wrote.

Last month, DoorDash acquired Caviar, one of its competitors, for $410 million in a mix of cash and DoorDash preferred stock. 

Related Coverage