According to the data breach notification sent to the impacted customers and the security note published on the website, the incident took place on May 4, 2019, when an unauthorized party was able to gain access to user information, Users and merchants who were registered on the platform after April 5, 2018, were not impacted.
“Earlier this month, we became aware of unusual activity involving a third-party service provider. We immediately launched an investigation and outside security experts were engaged to assess what occurred. We were subsequently able to determine that an unauthorized third party accessed some
It is not clear how this data was accessed, but they mention that they noticed unusual activity with a third-party service. It is not known if this data was being hosted by a third-party service provider, if they were subject to a supply-chain attack from this service provider, or the unauthorized access originated from this provider.
Exposed data includes profile information, email addresses, delivery addresses, order history, phone numbers, and hashed and salted passwords. The company also confirmed that for some consumers, Dashers, and merchants, the last four digits of their credit cards or bank accounts were exposed.
“However, full credit card information such as full payment card numbers or a CVV was not accessed. The information accessed is not sufficient to make fraudulent charges on your payment card.” highlighted the company.
The incident also resulted in the exposure of roughly 100,000 driver’s license numbers associated the Dashers.
The company added that it doesn’t believe that user passwords have been compromised, but as
At the time of writing it is not clear how