Doordash confirmed a data breach that has impacted 4.9 million users in a blog post on Thursday. Information like names, email addresses, delivery addresses, order history, phone numbers, passwords was accessed. The last four digits of some consumers’ credit cards and bank account numbers was also accessed, but Doordash said the exposed information isn’t enough to make a fraudulent purchase.
The company also said about 100,000 Dashers, or drivers, had their driver’s license numbers accessed.
The food delivery company said it became aware of suspicious activity with a third-party service provider earlier this month. After an investigation, Doordash said it discovered another breach occurred in early May. Doordash said that users who joined after April 5, 2018 weren’t affected.
“We immediately launched an investigation and outside security experts were engaged to assess what occurred.,” Mattie Magdovitz, the company’s senior communications manager said in an email.
Doordash said it blocked the unauthorized user’s access, added additional protective security layers around the data, improved security protocols that govern access to systems, and brought in outside expertise.
The company said it doesn’t believe that passwords were compromised but encourages users to change them just in case.
The company said its investigation is ongoing. Doordash is the latest to suffer aafter and earlier this year.
Originally published Sept. 26 at 1:54 p.m. PT.
Update, at 2:06 p.m. PT: Adds comments from Doordash.