On-demand restaurant meal delivery service DoorDash on Thursday said a breach of its system exposed nearly five million customers, eateries and “Dashers” to a data breach.
The San Francisco-based startup, which competes in North America with Uber Eats and GrubHub, said it noticed unusual activity early this month and discovered DoorDash user data was accessed by “an unauthorized third party” in May.
DoorDash assured users in an online post that it immediately blocked the intruder’s cyber access and enhanced system security.
Data was exposed regarding approximately 4.9 million consumers, merchants and delivery people who joined the restaurant meal delivery platform on or before April 5 of last year, according to DoorDash.
Information included names, phone numbers, and email and delivery addresses, along with passwords scrambled to be indecipherable, DoorDash said.
The last four digits of some customers’ credit cards, as well as the final four digits of merchant and delivery people’s bank accounts, were also exposed in some cases.
“The information accessed is not sufficient to make fraudulent charges on your payment card” or withdrawals from bank accounts, DoorDash said.
Driver’s license numbers for some 100,000 delivery people, referred to as “Dashers,” were also exposed.
DoorDash said it did not believe passwords were compromised, but advised users to change them to be safe.
“We deeply regret the frustration and inconvenience that this may cause you,” DoorDash said.
“Every member of the DoorDash community is important to us, and we want to assure you that we value your security and privacy.”
DoorDash at the end of last year was the leading US service to use a mobile app to match restaurant take-away orders with people willing to deliver the meals for a price.
DoorDash in August announced it was acquiring crosstown rival Caviar in a deal valued at $410 million.