Food delivery platform and UberEats competitor DoorDash has confirmed it has suffered a data breach affecting almost five million customers.
In May, an unauthorised third party was able to access DoorDash user data, the company said in a blog post.
DoorDash said it noticed unusual activity and “immediately launched an investigation”, employing outside security experts to figure out what was going on.
When it realised a hacker had been able to access data, “we took immediate steps to block further access”, the blog said.
The breach comes just weeks after DoorDash announced it would be launching in Australia, taking on the likes of Deliveroo, UberEats and Menulog.
It’s already available in Melbourne, and the business intends to roll out across the rest of the country in late-2019 and early-2020.
The company specified the breach has only affected customers who joined before April 5, 2019, meaning it is unlikely any Aussies will have been hit.
DoorDash said data that could have been affected in the breach includes customer names, delivery addresses and phone numbers, as well as email addresses, order history and hashed and salted passwords.
For some customers, the last four digits of their payment cards have been leaked, but DoorDash stressed the full card numbers and CVVs were not accessed.
The last four digits of some merchants’ bank account numbers were also exposed, as well as those of some deliver drivers, or ‘dashers’.
The drivers licence numbers of about 100,000 dashers were also accessed, DoorDash said.
In the statement, DoorDash said it is reaching out to affected users directly with specific information about what was accessed.
While it said it doesn’t believe users’ passwords were compromised, the statement cautioned users to change them anyway.
“We deeply regret the frustration and inconvenience that this may cause you,” it said.
Get SmartCompany FREE to your inbox every weekday.
“Every member of the DoorDash community is important to us, and we want to assure you that we value your security and privacy.”
Responses to the blog post called the situation “ridiculous”, or accused DoorDash of being “asleep at the wheel”.
Others expressed concern the blog suggested DoorDash was storing customers’ CVV numbers.
Another commented that DoorDash’s advice was “unacceptable”.
“My entire identity, including where I live is stolen and your only solution is that I should change my password?”
The leak follows several high-profile data breaches in Australia. In May, Aussie unicorn Canva suffered a breach that saw the data of 139 million users stolen.
Canva faced criticism in its handling of the breach. The initial email sent to inform customers led with decidedly positive news about the business, including its new T-shirt printing capabilities, before discussing the security incident.
In July, cosmetics retailer Sephora also informed customers, including those in Australia, that their personal information and encrypted passwords may have been exposed.
Data from the Information Commissioner suggests more than 800 business were hit with data breaches last year, after mandatory reporting regulations came into play in February 2018.