Popular on-demand food delivery platform DoorDash has upheld a data breach affecting 4.9 million customers around the world.
DoorDash, an economy giant founded in 2013, connects customers with local restaurants, on independent contractors who use their vehicles for door-to-door delivery, also known as “Dashers.” It operates in over 4,000 cities across the US and Canada.
The data which have been found breached was accessed by an unspecified third-party service provider on May 4, including profile information such as names, emails, delivery addresses, phone numbers, useful official passwords, as well as the driver’s license numbers of nearly 100,000 delivery executives. The leak is also said to have exposed the last four digits of payment cards for some consumers and the last four digits of the bank account numbers for some delivery executives and restaurants.
It is not right away clear how this data came to be accessed in an illicit manner – or if this data was being hosted by the third-party service provider, and if they were a victim of a supply chain attack through the third-party.
The San Francisco-based startup said it was alerted to the breach earlier this month after it noticed unusual activity involving third-party service providers. The user who had been connected to the platform after April 5, 2018, was not affected. However, the company recommends changing your password regardless of your timing associated with the signup process to login to your official account.
It also leaves the door open for an opportunity that hackers may have had access to this data since May until it was blocked at the start of this month. In response, the company said it added a number of additional security layers to safeguard user data and has improved the security protocols allowing access to its systems. The company is reaching out to individual users affected by the breach. Also, it makes sense to be on the watch for any phishing activities, as it can possible for the attackers to target potential victims using the stolen email addresses.