Food delivery company DoorDash has confirmed that it has suffered a data breach that affects 4.9 million customers, workers, and merchants.
TechCrunch reports that food delivery company DoorDash has confirmed that it has been the victim to a data breach that puts the personal info of 4.9 million customers, delivery workers, and merchants at risk.
According to a blog post by the company published on Thursday, the breach happened on May 4; the firm noted that users that joined after April 5, 2018, are not affected by the breach. Mattie Magdovitz, a spokesperson for DoorDash, blamed the breach on “a third-party service provider,” but failed to name them.
Magdovitz added: “We immediately launched an investigation and outside security experts were engaged to assess what occurred.” According to DoorDash, users that joined the platform before April 5, 2018, had their name, email, delivery addresses, order history, phone numbers, and hashed and salted passwords stolen.
The company added that users had the last four digits of their payment cards stolen but the full numbers and card verification values were not accessed. Delivery workers and merchants had the last four digits of their bank account numbers stolen.
100,000 delivery workers also saw their driver’s license information stolen as a result of the data breach. This news comes exactly one year after DoorDash customers reported that their accounts had been hacked. The firm stated at the time that no data breach had taken place and claimed that hackers were running credential stuffing attacks in which they take a list of stolen username and passwords and try them on multiple sites that use the same passwords.
Many customers said at the time, however, that the passwords they used were unique to DoorDash which would rule out such an attack. At the time, DoorDash could not explain how the affected accounts were breached.