The San Francisco-based food delivery service DoorDash has confirmed that a recent data breach may have enabled a third party to obtain the personal information of some 4.9 million users and restaurants. Although DoorDash said in a blog post published Thursday that it only became aware of unusual activity regarding a third-party service provider earlier this month, an investigation found that third party had accessed users' personal data on May 4. The company is now in the process of reaching out directly to affected users.
"We take the security of our community very seriously," DoorDash said in a blog post confirming the data breach. "We deeply regret the frustration and inconvenience that this may cause you. Every member of the DoorDash community is important to us, and we want to assure you that we value your security and privacy." Romper has reached out to DoorDash for additional comment, but did not receive an immediate response.
While not every user is believed to have been affected by the breach, DoorDash has said that approximately 4.9 million consumers, DoorDash drivers, and merchants who joined the platform on or before April 5, 2018 were affected. Those who joined DoorDash anytime after that date, however, can breath a sigh of relief as they are not believed to have had their information compromised.
The company revealed Thursday that compromised data could include users' names, email addresses, delivery addresses, order history, phone numbers, and "hashed, salted passwords." The last four digits of some consumers' payment cards could also have been accessed in the breach, although DoorDash noted in its blog that "the information accessed is not sufficient to make fraudulent charges."
Similarly, the last four digits of bank account numbers supplied by merchants and individuals who drove for DoorDash could also have been accessed, although the company again noted that, "the information accessed is not sufficient to make fraudulent withdrawals." Additionally, the driver's license numbers of approximately 100,000 DoorDash drivers were also accessed in the breach, according to the company.
"We have taken a number of additional steps to further secure your data, which include adding additional protective security layers around the data, improving security protocols that govern access to our systems, and bringing in outside expertise to increase our ability to identify and repel threats," DoorDash said in its company blog post. The company has also confirmed that it has blocked further access by the unauthorized third-party. What's not been discussed, however, is why it took the company four months to get wind of the breach.
Unfortunately, data breaches continue to be an unfortunate risk of our increasingly digital world. In fact, the Identity Theft Resource Center reported 1,244 data breaches happened in 2018. But, according to Forbes, things like vigilantly checking your accounts for unauthorized charges, periodically changing passwords, not using the same password across multiple platforms, and signing up for credit monitoring services can help you protect your information in case of data breaches like the one DoorDash has experienced.
DoorDash is currently in the process of reaching out to all affected users with specifics about which of their data was accessed in the breach, according to the blog post. Although the company doesn't believe passwords were compromised — the hashed, salted passwords accessed are believed to be indecipherable — they recommend users change their password "out of an abundance of caution." A dedicated call center has also been established at 855–646–4683 for users seeking more information or who have additional concerns.