Food delivery app DoorDash says it is enhancing security after being hit by a data breach earlier this year that potentially affects 4.9 million consumers, couriers and merchants in Canada and the U.S.
In a blog post on Thursday, the company said customer data that was accessible may include names, order history, email addresses, phone numbers and “hashed, salted passwords” that would be indecipherable to anyone viewing them.
The last four digits of some customer payment cards and driver and merchant bank accounts were also potentially viewed, though the company said such financial information is not enough to make fraudulent purchases or withdrawals.
The driver’s licence numbers of about 100,000 of the app’s couriers were also affected.
The breach only impacts those who joined the platform on or before April 5, 2018, the post said.
DoorDash said an investigation was launched earlier this month after the company became aware of unusual activity involving a third-party service provider.
DoorDash did not specify who that provider was or what service was provided.
WATCH: How you can protect yourself from digital fraud
It was later determined that the third party accessed some user data on May 4, the company said.
“We took immediate steps to block further access by the unauthorized third party and to enhance security across our platform. We are reaching out directly to affected users.”
The app, similar to Uber Eats, Foodora and Skip the Dishes, allows customers to pay for meals from a list of participating restaurants and have them delivered.
DoorDash offers the service in 78 Canadian cities, including major centres such as Toronto, Montreal and Vancouver, and says it is on track to expand to 100 cities by the end of the year.
WATCH: How to better protect yourself from data hacking
The company declined to say how many Canadian users were affected, citing security concerns.
“We have directly notified those individuals who are involved,” a spokesperson said via email.
DoorDash is telling users to change their passwords, though it says there’s no evidence they were compromised.
“We have taken a number of additional steps to further secure your data, which include adding additional protective security layers around the data, improving security protocols that govern access to our systems and bringing in outside expertise to increase our ability to identify and repel threats.”