DoorDash confirmed in a blog post Thursday a data breach that's affected 4.9 million users. The breach, reported earlier by TechCrunch, exposed information like names, email addresses, delivery addresses, order histories, phone numbers and passwords. The last four digits of some consumers' credit card and bank account numbers were also accessed, but DoorDash said the information isn't enough to make a fraudulent purchase.
DoorDash also said that about 100,000 of the company's drivers had their driver's license numbers accessed.
The food delivery company said it became aware of suspicious activity with a third-party service provider earlier this month. The investigation discovered that an unauthorized third party accessed some user data in early May. DoorDash said users who joined after April 5, 2018, weren't affected.
"We immediately launched an investigation, and outside security experts were engaged to assess what occurred," Mattie Magdovitz, the company's senior communications manager, said in an email.
DoorDash said it blocked the unauthorized user's access, added additional protective security layers around the data, improved security protocols that govern access to systems, and brought in outside expertise.
The company said it doesn't think passwords were compromised but that it encourages users to change them just in case.
The company said its investigation is ongoing. DoorDash is the latest to suffer a, after and earlier this year.
Originally published Sept. 26, 1:54 p.m. PT.
Update, 2:06 p.m.: Adds comments from DoorDash.
Correction, Sept. 27: An earlier version of this story incorrectly stated the extent of the DoorDash security issue. The company became aware of suspicious activity this month, leading to the discovery of a single breach in May.