A food delivery company with millions of customers has had its data breached, and sensitive information like names, physical addresses and phone numbers was leaked.
The news was confirmed by the company itself – DoorDash. Announcing the breach in a blog post earlier this week, DoorDash confirmed that 4.9 million customers, delivery workers and merchants have had their data compromised. The breach occurred on May 4, the company said, adding that whoever joined before April 5 2018 were affected.
It laid the blame on an unnamed third-party service provider. “We immediately launched an investigation and outside security experts were engaged to assess what occurred,” said DoorDash spokesperson Mattie Magdovitz.
But it’s not just names, physical addresses and phone numbers that were leaked. Order history was taken, hashed and salted passwords, but also the last four digits of the customers’ payment cards.
The last four digits of delivery workers’ and merchants’ bank accounts were taken, as well as some 100,000 delivery workers’ driver license information.
Full numbers, as well as card verification values (CVV) were not taken.
DoorDash said it added extra layers of security to keep its customers’ data safe, and improved security protocols necessary to gain access to this data.
Almost exactly a year ago, DoorDash customers claimed their accounts were hacked, Tech Crunch reminds. At the time, the company denied the data breach, and said the attackers were actually involved in credential stuffing.