DoorDash confirms 4.9M accounts accessed in major server breach

In a blog post, DoorDash advises it was warned of unusual activity involving a "third-party service provider" earlier in September, prompting an investigation by security experts from outside the company. It was discovered an "unauthorized third party accessed some DoorDash user data on May 4, 2019."

The company has since taken steps to block further access by that third party, as well as enhancing its security and reaching out to affected users. It is believed 4.9 million consumers, "Dashers" and merchants who joined the service on or before April 5, 2018 are affected. Accounts created after that time not affected by the intrusion.

The user data includes profile information like names, email addresses, order history, phone numbers, and hashed and salted passwords. For some consumers, the last four digits of payment cards were included, with the last four digits of bank account numbers for Dashers and merchants, but DoorDash stresses the full financial details were not accessed. For approximately 100,000 Dashers, their driver's license number was also accessed.

As well as reaching out to affected users with specific information about what was accessed in their account, DoorDash encourages users to reset their password to one that is unique to the service, but adds it "does not believe" user passwords have been compromised. The company has also set up a dedicated call center for additional support.

"We deeply regret the frustration and inconvenience that this may cause you," writes the company. "Every member of the DoorDash community is important to us, and we want to assure you that we value your security and privacy."