Food delivery service DoorDash has announced that almost 5 million customer accounts were compromised in a data breach this past May.
The breach affects 4.9 million customers, delivery workers and restaurants who joined the platform on or prior to Apr. 5, 2018.
Anyone who joined after then is not affected.
The information taken in the hack includes names, email addresses, addresses, order history and phone numbers. What's more, the last four digits of payment cards were taken, but the "full payment card numbers or a CVV was not accessed."
"The information accessed is not sufficient to make fraudulent charges on your payment card."
Delivery workers and merchants had the last four digits of their bank account numbers taken, while 100,000 delivery workers had their driver's license numbers accessed.
"We take the security of our community very seriously," DoorDash said in a blog post Thursday. "Earlier this month, we became aware of unusual activity involving a third-party service provider. We immediately launched an investigation and outside security experts were engaged to assess what occurred.
"We were subsequently able to determine that an unauthorized third party accessed some DoorDash user data on May 4, 2019. We took immediate steps to block further access by the unauthorized user and to enhance security across our platform."
DoorDash delivers food from a number of restaurants and vendors across the Twin Cities, including fast food outlets such as McDonald's, Chick-fil-A, and Taco Bell, and a number of local restaurants.
Customers who opened their account before Apr. 5, 2018, are being advised to change their passwords out of "an abundance of caution."