DoorDash Inc., a San Francisco-based on-demand food delivery service supplier, has confirmed that about 4.9 million customers, merchants and delivery workers had their sensitive data illegally compromised.
The company admitted that “a third-party service provider”, which it did not name specifically, made unauthorised access to the information of DoorDash employees, users and food service businesses, including names, addresses, order history, phone numbers and other data, Xinhua news agency reported on Thursday.
It said that the data hacking took place in May this year, and hackers stole the information of the last four digits of the credit or debit cards of some customers and merchants.
The breach also included the driver’s licenses of about 100,000 DoorDash delivery workers, said the company.
However, DoorDash said the full bank account information, including card verification values, did not leak and users who joined after April 5, 2018, were not affected.
The company said that security measures had been taken to address the issue.
“We immediately launched an investigation and outside security experts were engaged to assess what occurred,” it said.
A similar data breach happened on September 2018, when DoorDash customers complained that their passwords used on the platform were stolen.