Popular on-demand food delivery service DoorDash has revealed that it was the target of a data breach, and that the information of 4.9 million users in both the US and Canada has been compromised as a result.
The company first became aware of “unusual activity” involving a third-party provider earlier this month. After an investigation, DoorDash determined that an unauthorized third party had accessed user data on May 04, 2019.
DoorDash spokesperson Mattie Magdovitz told CTV News in an email statement that the cyberattack affected users who joined the platform before April 05, 2018. The spokesperson also confirmed that that attack did not affect any users in Australia, and that the company has directly notified individuals whose accounts have been affected.
The information that was stolen included order history, phone numbers, email addresses, user names and physical addresses. The hackers also managed to expose the driver’s licence information of about 100,000 drivers associated with DoorDash. In several cases, hackers made off with the last four digits of consumer payment cards, as well as the last four digits of their bank account number. DoorDash offered assurances that the stolen information was “not sufficient” to make fraudulent purchases or withdrawals. It does not believe that user passwords were compromised, but has recommended that users affected by the breach reset their passwords.
Magdovitz said that since the announcement, the company has taken a number of steps to further secure data, and is offering free identity protection services to affected drivers.