On Thursday, one the country's largest food delivery service apps announced a security breach that left nearly 5 million users' information open to hackers.
DoorDash is a third-party delivery service that partners with restaurants and grocery stores to bring food to private residences and offices. When Chick-fil-A — which doesn't have its own team of drivers — gave away 200,000 chicken sandwiches, for example, they used DoorDash to do it. For years, the company has been duking it out with Uber Eats, Grubhub and Postmates to be the most widely used food delivery service in the world.
But this week, DoorDash's team discovered its app had been hacked.
"We take the security of our community very seriously. Earlier this month, we became aware of unusual activity involving a third-party service provider," DoorDash said in a blog post. "We immediately launched an investigation and outside security experts were engaged to assess what occurred."
Experts discovered that DoorDash experienced the breach on May 4. The incident opened the data from 4.9 million accounts belonging to customers and merchants to hackers. DoorDash said it took "immediate steps" to block the hackers (who have not been identified) from being able to access any other information and is in the process of reaching out to affected users so they can begin changing their passwords and taking other measures to protect their information.
So who was susceptible to the breach and what information was taken?
DoorDash said users who joined "on or before April 5, 2018," were affected. Any customer, merchant or "Dasher" (delivery person) who joined the app after April 5, 2018, was not susceptible to the breach.
Some of the stolen data included profile information "including names, email addresses, delivery addresses, order history, phone numbers, as well as hashed, salted passwords — a form of rendering the actual password indecipherable to third parties."
Some accounts also had the last four digits of their credit cards accessed, which DoorDash told its customers is not enough to make fraudulent purchases (this would have required access to full credit card numbers and three-digit card verification codes). Approximately 100,000 dashers also had their driver's license numbers taken.
In addition to blocking the hackers from getting more data, DoorDash says it is also working on beefing up its security to prevent this from happening again and has asked affected users to change their passwords immediately.
The company has a support line available 24 hours a day, seven days a week, so any concerned app users may call (855) 646-4683.