DoorDash has confirmed a data breach that affected approximately 4.9 million customers, couriers, and merchants.
The food delivery service made the announcement in a blog post Thursday, nearly five months after the breach occurred.
"Earlier this month, we became aware of unusual activity involving a third-party service provider. We immediately launched an investigation ..." the company wrote. "We were subsequently able to determine that an unauthorized third party accessed some DoorDash user data on May 4, 2019. We took immediate steps to block further access by the unauthorized third party and to enhance security across our platform. We are reaching out directly to affected users."
The compromised data included customer names, phone numbers, email addresses, delivery addresses, order history, drivers license numbers, as well as the last four digits of credit cards and bank accounts. The company, however, reassured users that the accessed information was "not sufficient to make fraudulent charges" or withdrawals.
DoorDash said users who joined the service after April 5, 2018 were not affected.
"... If you are concerned, we encourage you to reset your password to one that is unique to DoorDash, particularly if you use the same password across multiple accounts," the company wrote. " ... The information accessed is not sufficient to make fraudulent charges on payment cards or fraudulent withdrawals from bank accounts. Regardless, it is a security best practice to always be vigilant and regularly check your payment card and bank accounts for unusual activity. If you see something suspicious, you should promptly report it to your financial institution."
DoorDash users who have questions about the breach are encouraged to the call 855–646–4683 for assistance and information.