DoorDash said Thursday that earlier this month it determined that on May 4 an unnamed "third-party service provider" had gotten its hands on customers' data. The company said nearly 5 million merchants as well as consumers and delivery drivers were affected by the massive data breach, although it had not learned of the breach until earlier this month. 

What data was breached?

Profile information including names, email addresses, delivery addresses, order histories, phone numbers and so-called "hashed, salted passwords" that are rendered indecipherable to third parties, were, in this case, accessed for the company's users on or before April 5, 2018.

Those who first joined the service after April 5, 2018, were not affected, however.

For some merchants and Dashers, AKA drivers, the last four digits of their bank account numbers were captured, although complete account information was not accessed, which meant that the hackers didn't gain enough information to make fraudulent withdrawals from bank accounts according to DoorDash. About 100,000 Dashers, however, had their driver's license numbers accessed as well.

Some of the platform's consumer-users also had the last four digits of their payment cards tapped, but DoorDash said complete credit card information, such as entire numbers or CVV codes, were not accessed. That means, according to DoorDash, that the hacked info wasn't sufficient to lead to fraudulent charges, but it said customers should be vigilant about watching their accounts for suspicious activity. 

The company said it has already taken steps to secure data including putting more security layers in place, hardening access to the systems by boosting security measures and bringing in outside expertise to "increase our ability to identify and repel threats."

But companies that make it their business to protect businesses against such third-party provider breaches are saying that everyone needs to take more measures to secure the customer data that passes through their digital "fingers" daily.

"Breaches of company data due to security failures of their third-party providers are going to continue at an increasing rate until companies own up to doing the work necessary to effectively manage vendor risk," Kelly White, CEO of third-party cybersecurity risk software company, RiskRecon, said via email. "The all-too-common approach of managing vendor risk through security questionnaires is insufficient.

"No one would manage their internal risk only through questionnaires, so why would it work for managing vendor risk? Companies must verify the quality of their vendor cybersecurity through direct evidence, enabling them to gain the transparency necessary to understand their risk and hold their vendors to better cybersecurity performance."

How DoorDash is helping those potentially breached 

The company said it's contacting those affected "directly" as quickly as possible to let them know how much and what type of information was accessed from their accounts, although it said it didn't think user passwords were compromised. Nonetheless, it encouraged its users to reset passwords to something exclusive to DoorDash. 

"We deeply regret the frustration and inconvenience that this may cause you," the company said on its website. "Every member of the DoorDash community is important to us, and we want to assure you that we value your security and privacy."