DoorDash announced today that it suffered a security breach that affected 4.9 million users. According to the company, on May 4th, 2019, an unauthorized third-party gained access to information belonging to DoorDash users including consumers, delivery drivers and merchants who joined the platfrom on or before April 5th, 2018. The information accessed included names, email addresses, physical addresses used for deliveries, order histories, phone numbers and passwords, which were encrypted using hashing and salting techniques. The company is advising users to reset their passwords, though it is not believed that any passwords have been compromised.
DoorDash disclosed that the last four digits of some consumer payment cards were also compromised in the breach, but no full payment information — including complete card numbers or CVV security codes — were accessed. Perhaps most troublingly, the full driver’s license numbers for approximately 100,000 DoorDash drivers were compromised in the breach.
DoorDash claims that, in response to the incident, it has added a number of additional security layers to protect user data and has improved the security protocols that allow access to its systems. The company is reaching out to individual users affected by the breach, but the company has not disclosed any additional action that needs to be taken by affected users at this time.