The Washington PostDemocracy Dies in Darkness

DoorDash data breach affects 4.9 million users

Hackers may have accessed addresses, phone numbers and partial credit card numbers, as well as driver’s license numbers for 100,000 workers.

A DoorDash driver receives an order Aug. 2 in Daly City, Calif. (Christie Hemm Klok for The Washington Post)

Food-delivery service DoorDash said Thursday that the personal data of 4.9 million customers, workers and merchants was compromised earlier this year through an unnamed third-party service provider.

The leaked data may have included names, delivery addresses, phone numbers, order history and the last four digits of customers’ credit cards. Passwords were also compromised, though in an undecipherable “salted” form.

While data breaches have become somewhat common place as business moves increasingly online, DoorDash’s may differ in that about 100,000 “dashers,” the independent contractors who perform the company’s delivery services, may have had their driver’s license numbers leaked. Some dashers and merchants may have also had the last four digits of their bank account numbers compromised, according to the company.

Equifax to pay up to $700 million to settle state and federal investigations into 2017 security breach

The issue impacts some users who joined the platform before April 5, 2018. The data was compromised on May 4.

DoorDash declined to comment beyond the information contained in its Thursday blog post, in which the company said that it “deeply regret[s] the frustration and inconvenience” the issue may cause its users.

DoorDash said it became aware of “unusual activity involving a third-party service provider” earlier this month. After completing an investigation and blocking an unauthorized user, the company says it has added additional layers of security around its data and consulting outside security experts on identifying future threats.

The company said the credit card and bank account information was not sufficiently complete for unauthorized parties to make fraudulent charges. Still, DoorDash said it is reaching out to all affected users and encouraging them to reset their passwords.

DoorDash to change its controversial tipping policy after outcry

DoorDash joins a string of data breaches in recent years, including at Yahoo, Target and Home Depot. In 2017, credit-reporting agency Equifax had a breach that compromised information such as Social Security numbers and credit card details for about half of all Americans. The company agreed over the summer to pay up to $700 million to settle a series of state and federal investigations.

The breach is only the latest challenge for DoorDash. In July, the company said it would change its controversial tipping policy after significant outcry from workers and advocacy groups, handing over the full tip to delivery workers. Previously, tips were used to help fund the minimum payment guaranteed to the driver.