The food-delivery service DoorDash confirmed Thursday that 4.9 million of its users, delivery workers and vendors were exposed in a data breach to an "unauthorized third party."
The company made its announcement in a blog post and said it "became aware of unusual activity involving a third-party service producer" earlier this month. As part of the investigation, DoorDash said it determined that the third party had accessed some user data on May 4, 2019.
DoorDash did not reveal the identity of the "unauthorized third party" but said they took steps to block further access.
As a result, the company said around 4.9 million users, delivery workers, and vendors who joined the platform before April 5, 2018 were affected and had some of their data exposed.
DoorDash said it would be reaching out directly "over the coming days" to those who are affected.
The information that was exposed includes names, e-mails, delivery addresses, phone numbers. In some cases, the last four digits of consumer payment cards could have been accessed. Additionally, the last four digital of bank account numbers for its delivery drivers and merchants could have been accessed.
Additionally, DoorDash said 100,000 of company's "Dashers" had their driver's license numbers accessed.
While DoorDash said it does not believe user passwords have been comprised, it is encouraging all those affected to reset their passwords "out of an abundance of caution."
If users need more information, DoorDash has set up a dedicated call center available 24/7 for support at 855-646-4683.