On Thursday, food-delivery service, DoorDash joined a string of data breach victims in recent years, confirming in its blog post, a massive data breach that’s affected 4.9 million users, including customers, workers, and merchants. The breach was initially reported by TechCrunch, exposing information such as names, email addresses, delivery addresses, order histories, phone numbers, and passwords.

Hauntingly enough, the last four digits of some consumers’ credit card and bank account numbers were also accessed, but DoorDash has indicated that the information isn’t enough to make a fraudulent purchase. We will see about that.

The company added that approximately 100,000 of its company drivers had their driver’s license numbers accessed. Again, too early to speak on the potentially damaging effects of this.

Earlier this month, the food-delivery company said it became aware of “suspicious activity” with a third-party service provider. After an investigation, the company said it discovered another breach occurred in early May.

Who Is Affected?

The data itself was compromised on May 4.

The massive breach affected users who joined the platform on or before April 5, 2018, according to the company. Users who joined after April 5, 2018 were not affected.

What Was Affected?

According to the company’s blog post, the type of user data accessed could include:

  1. Profile information including names, email addresses, delivery addresses, order history, phone numbers, as well as hashed, salted passwords — a form of rendering the actual password indecipherable to third parties.
  2. For some consumers, the last four digits of consumer payment cards. However, full credit card information such as full payment card numbers or a CVV was not accessed. The information accessed is not sufficient to make fraudulent charges on your payment card.
  3. For some Dashers and merchants, the last four digits of their bank account number. However, full bank account information was not accessed. The information accessed is not sufficient to make fraudulent withdrawals from your bank account.
  4. For approximately 100,000 Dashers, their driver’s license numbers were also accessed.

Why Is This Breach Different From This Year’s Previous Breaches?

While data breaches have become somewhat common place as business moves increasingly online, DoorDash’s may differ in that about 100,000 “dashers,” the independent contractors who perform the company’s delivery services, may have had their driver’s license numbers leaked.

What Has the Company Done?

via Twitter

The company stated in its blog post that “[it] ha[s] taken a number of additional steps to further secure your data, which include adding additional protective security layers around the data, improving security protocols that govern access to our systems, and bringing in outside expertise to increase our ability to identify and repel threats.”

We immediately launched an investigation, and outside security experts were engaged to assess what occurred,” Mattie Magdovitz, the company’s senior communications manager, said in an email.

DoorDash said it blocked the unauthorized user’s access, added additional protective security layers around the data, improved security protocols that govern access to systems, and brought in outside expertise.

The company is currently in the process of notifying those affected as quickly as possible and will continue to reach out over the coming days.

However, the means by which the company has reached out, isn’t sitting so well with some users.

via Twitter

What Can You Do?

CHANGE YOUR PASSWORDS. How? We got you.

You can change your DoorDash password by visiting https://www.doordash.com/accounts/password/reset/ and using the email address associated with your DoorDash account.

The company said it doesn’t think passwords were compromised but that it encourages users to change them just in case. Again, as we’ve seen from these breaches, trusting what these companies “think” was and was not compromised is of no matter—just change your passwords people.

For further information, Door Dash has also set up a dedicated call center available 24/7 for support at 855–646–4683.

While the company has indicated that its investigation is ongoing, this breach is only the latest legal challenge for DoorDash.  In July, the company said it would change its controversial tipping policy after significant outcry from workers and advocacy groups, handing over the full tip to delivery workers. Previously, tips were used to help fund the minimum payment guaranteed to the driver.

This breach follows recent breaches such as MoviePass, Capital One, Facebook, and Equifax.