IE 11 is not supported. For an optimal experience visit our site on another browser.

DoorDash confirms hack affecting nearly 5 million people — here's what you need to know

The popular online delivery service said the hack put millions of customers and merchants' personal information at risk.
/ Source: TODAY

On Thursday, one the country's largest food delivery service apps announced a security breach that left nearly 5 million users' information open to hackers.

DoorDash is a third-party delivery service that partners with restaurants and grocery stores to bring food to private residences and offices. When Chick-fil-A — which doesn't have its own team of drivers — gave away 200,000 chicken sandwiches, for example, they used DoorDash to do it. For years, the company has been duking it out with Uber Eats, Grubhub and Postmates to be the most widely used food delivery service in the world.

But this week, DoorDash's team discovered its app had been hacked.

DoorDash delivers food nationwide for restaurants like Chick-fil-A, Panera and McDonald's.
DoorDash delivers food nationwide for restaurants like Chick-fil-A, Panera and McDonald's.Chick-fil-A

"We take the security of our community very seriously. Earlier this month, we became aware of unusual activity involving a third-party service provider," DoorDash said in a blog post. "We immediately launched an investigation and outside security experts were engaged to assess what occurred."

Experts discovered that DoorDash experienced the breach on May 4. The incident opened the data from 4.9 million accounts belonging to customers and merchants to hackers. DoorDash said it took "immediate steps" to block the hackers (who have not been identified) from being able to access any other information and is in the process of reaching out to affected users so they can begin changing their passwords and taking other measures to protect their information.

So who was susceptible to the breach and what information was taken?

DoorDash said users who joined "on or before April 5, 2018," were affected. Any customer, merchant or "Dasher" (delivery person) who joined the app after April 5, 2018, was not susceptible to the breach.

Some of the stolen data included profile information "including names, email addresses, delivery addresses, order history, phone numbers, as well as hashed, salted passwords — a form of rendering the actual password indecipherable to third parties."

Some accounts also had the last four digits of their credit cards accessed, which DoorDash told its customers is not enough to make fraudulent purchases (this would have required access to full credit card numbers and three-digit card verification codes). Approximately 100,000 dashers also had their driver's license numbers taken.

Paying takeout food with credit card
Food delivery is becoming a convenient option for busy families and people on-the-go in both urban and suburban areas across the country.Getty Images stock

In addition to blocking the hackers from getting more data, DoorDash says it is also working on beefing up its security to prevent this from happening again and has asked affected users to change their passwords immediately.

The company has a support line available 24 hours a day, seven days a week, so any concerned app users may call (855) 646-4683.