Data from close to 5 million users of an on-demand delivery platform has been exposed.
In a corporate blog post, DoorDash says that in September 2019, it became aware of “unusual activity” involving a third-party service provider. A subsequent investigation that included outside security experts determined that an unauthorized third party accessed some DoorDash user data on May 4, 2019.
Approximately 4.9 million consumers, independent contractor drivers, and retailers who joined the DoorDash platform on or before April 5, 2018, are affected. Users who joined after April 5, 2018 are not affected. According to DoorDash, the type of user data accessed could include profile information including names, email addresses, delivery addresses, order history, phone numbers, and hashed, salted passwords which are indecipherable to third parties.
For some consumers, the last four digits of their payment cards were also exposed, but not full credit card information such as complete payment card numbers or a card verification value (CVV) security code. DoorDash says the accessed data is not sufficient to make fraudulent charges on a payment card.
In addition, some drivers and retailers had the last four digits of their bank account number. However, full bank account information was not accessed, and DoorDash says the information accessed is not sufficient to make fraudulent withdrawals from a bank account. Approximately 100,000 drivers had their driver’s license numbers accessed.
DoorDash says it took “immediate steps” to block further access by the unauthorized third party and to enhance security across its platform, and is reaching out directly to affected users. The company is taking additional steps to secure user data, including adding additional protective security layers around data, improving security protocols that govern access to its systems, and bringing in outside security expertise.
Although DoorDash does not believe that user passwords have been compromised, it is still recommending all of those affected to reset their passwords to one that is unique to DoorDash.