What just happened? Food delivery company DoorDash disclosed on Thursday that it was the victim of a data breach affecting 4.9 million customers, Dashers, and merchants.

According to a DoorDash spokesperson, hackers infiltrated databases on May 4, 2019. Apparently, not all customers were affected by the intrusion. The company claims that those who joined the platform after April 5, 2018, are safe. This would seem to indicate that the hackers only gained access to a database used earlier in the company’s history.

DoorDash became aware of suspicious activity earlier this month. The company launched an investigation and concluded the failure was the fault of “a third-party service provider,” but it did not go into specifics.

“We immediately launched an investigation and outside security experts were engaged to assess what occurred,” DoorDash said in the written disclosure. “We were subsequently able to determine that an unauthorized third party accessed some DoorDash user data on May 4, 2019. We took immediate steps to block further access by the unauthorized third party and to enhance security across our platform.”

The “unauthorized third party” stole data, which included names, emails, delivery addresses, order history, phone numbers, and passwords. The company says that the passwords were “hashed and salted,” meaning they were indecipherable outside of the database.

"We deeply regret the frustration and inconvenience that this may cause you. Every member of the DoorDash community is important to us, and we want to assure you that we value your security and privacy. "

More alarmingly, that data also contained the last four digits of payment cards as well as the last four digits of Dashers and merchant bank accounts. DoorDash says that the full numbers and CVV codes were not taken.

Nearly 100,000 delivery workers also had their driver’s license information stolen as well.

TechCrunch reported almost precisely a year ago that DoorDash customers began complaining about their accounts being hacked. At the time, the company denied that it had leaked data and claimed that the hackers were using “credential stuffing” attacks.

Credential stuffing is when an attacker uses a list of user names and passwords stolen from one website and tries them all on another website. However, many DoorDash customers who were hacked at that time said they used a unique password for the platform, ruling out this method. It is unclear if the two attacks are somehow related.

The company is reaching out to affected parties to let them know exactly what information was compromised. It does not believe that the passwords are readable, but suggests that users reset them just in case.

Image credit: David Tonelson via Shutterstock