DoorDash Data Breach Hits 4.9 Million: What to Do Now

DoorDash logo
(Image credit: DoorDash)

Restaurant-delivery service DoorDash disclosed today (Sept. 26) that 4.9 million customers, merchants and delivery personnel had their sensitive information compromised in a data breach. 

The information includes "names, email addresses, delivery addresses, order history, phone numbers, as well as hashed, salted passwords," DoorDash said in a blog posting

The last four digits of credit card numbers belonging to some DoorDash customers was included, as were the last four digits of some bank-account numbers of merchants and delivery people. DoorDash insists that none of the financial information is enough to facilitate fraud.

About 100,000 drivers' license numbers of delivery persons was also compromised. 

However, only customers, merchants and delivery persons who registered with DoorDash before April 5, 2018, are affected. Anyone who signed up with DoorDash later is in the clear.

If you're in the former group, you should change your DoorDash password at

MORE: What to Do After a Data Breach

It's nice to hear that the passwords were hashed and salted -- i.e., sprinkled with added data and then run through a supposedly irreversible mathematical algorithm. That will make them much harder to "crack," but some password-hashing algorithms are stronger than others, and DoorDash didn't specify what it used.

Needless to say, you shouldn't be reusing passwords from one account to another, especially when a credit-card number is tied to an account. 

Make up weird, long passwords with lots of different types of characters and write them all down in a book you keep in a locked drawer, or use one of the best password managers to generate and keep the passwords for you. Just don't reuse them.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.