The food delivery company said in a blog post Thursday that 4.9 million customers, delivery workers and merchants had their information stolen by hackers. The breach happened at some point before May 4, 2019, the company said, but added that customers who joined after April 5, 2018 are not affected by the breach.
It's not clear why it took four months for DoorDash to publicly reveal the breach. Around 100,000 delivery workers also had their driver's license information stolen in the breach. The news comes almost exactly a year after DoorDash customers complained that their accounts had been hacked.
The company at the time denied a data breach and claimed attackers were running credential stuffing attacks, in which hackers take lists of stolen usernames and passwords and try them on other sites that may use the same credentials. Many of the customers said their passwords were unique to DoorDash, ruling out such an attack.
What to do
If you feel you have been affected by this, change your password for DoorDash and any online account where you use the same credentials and keep a close eye on your financials.
Be aware of suspicious phishing emails, which are usually the next step for cyber criminals after a breach to trick users into giving up further details.
If you want more information on the latest SAT news, visit our SAT Advisories page.