DoorDash data breach affected 4.9M customers, drivers, merchants

The food delivery service confirmed the news Thursday.

Shelby Brown Editor II
Shelby Brown (she/her/hers) is an editor for CNET's services team. She covers tips and tricks for apps, operating systems and devices, as well as mobile gaming and Apple Arcade news. Shelby also oversees Tech Tips coverage. Before joining CNET, she covered app news for Download.com and served as a freelancer for Louisville.com.
  • She received the Renau Writing Scholarship in 2016 from the University of Louisville's communication department.
Shelby Brown
2 min read
In this photo illustration the DoorDash logo is seen

DoorDash has suffered a breach. 

Getty Images

DoorDash confirmed in a blog post Thursday a data breach that's affected 4.9 million users. The breach, reported earlier by TechCrunch, exposed information like names, email addresses, delivery addresses, order histories, phone numbers and passwords. The last four digits of some consumers' credit card and bank account numbers were also accessed, but DoorDash said the information isn't enough to make a fraudulent purchase.  

DoorDash also said that about 100,000 of the company's drivers had their driver's license numbers accessed.

The food delivery company said it became aware of suspicious activity with a third-party service provider earlier this month. The investigation discovered that an unauthorized third party accessed some user data in early May. DoorDash said users who joined after April 5, 2018, weren't affected. 

Watch this: What to do if your personal information is part of a data breach

"We immediately launched an investigation, and outside security experts were engaged to assess what occurred," Mattie Magdovitz, the company's senior communications manager, said in an email. 

DoorDash said it blocked the unauthorized user's access, added additional protective security layers around the data, improved security protocols that govern access to systems, and brought in outside expertise.

The company said it doesn't think passwords were compromised but that it encourages users to change them just in case. 

The company said its investigation is ongoing. DoorDash is the latest to suffer a data breach, after MoviePass and Capital One earlier this year. 

Read More: The best identity theft protection and monitoring services

Originally published Sept. 26, 1:54 p.m. PT.
Update, 2:06 p.m.: Adds comments from DoorDash. 

Correction, Sept. 27: An earlier version of this story incorrectly stated the extent of the DoorDash security issue. The company became aware of suspicious activity this month, leading to the discovery of a single breach in May.