DoorDash, a popular food delivery app, announced Thursday that hackers accessed the company’s data system and stole the personal information of approximately 4.9 million customers, restaurants and delivery workers — including driver’s license numbers, partial bank and credit card information, as well as names and addresses.

Specifically, DoorDash said in a blog post that customers who signed up for the delivery app before April 5, 2018, potentially had a slew of personal details compromised such as names, email addresses, phone numbers and order histories, as well as the last four digits of debit and credit cards. Full credit card information was not accessed.


The cyber criminals also gained access to “salted and hashed” customer passwords, DoorDash says. This is a protection strategy companies use that transforms the actual password so they’re not identifiable.

For delivery workers and restaurants, hackers also retrieved the last four digits of bank account numbers. But again, DoorDash reports the full bank information was not accessed and “information accessed is not sufficient to make fraudulent withdrawals from your bank account.” About 100,000 delivery workers also had their driver’s license numbers hacked.

Customers who joined after April 5, 2018, were not impacted by the breach, DoorDash reported. The hack occurred in May, and DoorDash says it “took immediate steps to block further access,” but did not immediately explain why it delayed announcing the data breach for five months.

Still concerned? Here are few steps experts recommend taking if you think you may have been affected during a data breach.


1. Change your passwords

DoorDash says it will be reaching out directly to affected customers, restaurants and delivery workers. And while it does “not believe that user passwords have been compromised,” it’s still a good idea to go ahead and update your password. Make sure when you do so, it’s unique to DoorDash. You can make the change through the DoorDash website.

2. Set up credit monitoring

While the DoorDash hackers didn’t retrieve the full payment information, you may want to set up credit monitoring if you don’t already have it in place. You can set up a free monitoring service through sites like Credit Karma, which will send you alert emails about any recent activity on your TransUnion or Equifax credit reports.

If you do suspect your credit card number has been stolen, report it immediately to your credit card company. They will typically close the account, investigate the reported charges and issue you a new credit card.

3. Track your response

Last year, there were 1,244 data breaches reported, according to the Identity Theft Resource Center. While that’s less than the number reported in 2017, the number of hacked consumer records that exposed sensitive information increased.

And each one of those hacks could lead to class-action lawsuits and investigations by regulators, like in the case of Equifax. While not all data breaches will result in a settlement, it’s good to be prepared. Going forward, Charity Lacey, VP of communications at the ITRC, tells CNBC Make It that it’s important for consumers to take breach notifications seriously and document what they do in response.

The Identity Theft Center’s ID Theft Help app has a case log manager tool that can help you track any actions you take in response to a breach.

4. Drivers may want to freeze their credit

A data breach can be more damaging if you have multiple pieces of information leaked. “Sometimes the risk is compounded when criminals have multiple pieces of data,” says cyber-security expert Joseph Steinberg.

In the case of the DoorDash breach, 100,000 delivery drivers had their driver’s licenses stolen, as well as potentially their names and contact information. A stolen driver’s license can be used for identity theft — specifically criminals can use it as proof of ID when opening accounts, Steinberg says.

The drivers may want to take some extra steps to protect their accounts, such as putting a freeze on their credit report, which “is the best way to prevent a criminal from opening an unauthorized account in your name,” says industry analyst Ted Rossman.

If you want to freeze your credit reports and haven’t already done so during a previous data breach, you need to contact the three major credit bureaus, EquifaxExperian and TransUnion, separately. Keep in mind that you will need to unfreeze your credit if you’re applying for any credit products in the future, such as a personal loan, credit card or mortgage.

While a credit freeze will stop anyone from taking out a credit card or loan in your name, it’s not a complete solution. A credit freeze doesn’t do much for identity theft that is not related to opening up a credit account, Steinberg says.

5. Stay alert

Ultimately, all consumers need to be vigilant about suspicious activity regardless of whether they were impacted by this most recent data breach. “The best an individual can do is keep an eye open for scammers contacting them,” says independent computer security analyst Graham Cluley.

That includes being very careful if you get any emails or phone calls purportedly from DoorDash, a scam that occurs frequently after a data breach is announced. If you’re contacted and asked for additional information, reach out directly to the company, rather than just responding.

This article was written by Megan Leonhardt and originally appeared in CNBC Make it.

Ready to Get Started with mDS?

Fill-out the quick form & a MDS technical expert will contact you soon!

+1 (888) 123-4567