A hack on food-delivery service DoorDash leaked the personal data of 4.9 million customers, delivery workers, and merchants, the company revealed on Thursday.

The breach took place on May 4, but DoorDash officials didn't learn of it until earlier this month when they noticed unusual activity involving an unnamed third-party service provider. That's what DoorDash says in post, which began: "We take the security of our community very seriously." Data obtained by the attacker could include names, email addresses, delivery addresses, order histories, phone numbers, and cryptographically hashed and salted passwords.

Also exposed were the last four digits of customers' payment cards and the last four digits of delivery workers' and merchants' bank accounts. Drivers license numbers for about 100,000 delivery workers were also accessed.

DoorDash has no evidence to indicate people who joined the service after April 5, 2018, had their data taken. The 4.9 million figure includes only a portion of users who joined on or before that date. The company said it's in the process of directly notifying those affected.

Change passwords now

The DoorDash post didn't provide details about the cryptographic hashing regimen used to protect passwords, and a spokeswoman's email didn't answer a question seeking that detail. The type of hashing DoorDash used is crucial to assessing the severity of the breach.

Here's why:

Hashing is a process that converts a plaintext password such as "Dan'ssupersecurepassword" (not including the quotation marks) into a long string such as 7140e92c2d1e125aabbdab4cdf31cce8 . Hashes are one-way, meaning there's no mathematical way to convert hashes into the plaintext they were derived from. Hackers can sometimes work around this protection by running large lists of password guesses through hash generators and looking for results that match the hashes found in a breach. Many services in the past have used weak algorithms such as MD5 and SHA1, which were never intended to be used to protect stored passwords. The result: it's trivial for the intruders to crack the hashes generated with these algorithms.

DoorDash's Thursday assurance that passwords had been hashed means little without knowing the specific algorithm or function used. The fact that the hashing routine included "salt" is encouraging. That's because, when done correctly, it would require more computational might for hackers to crack millions of hashes. But unless DoorDash says more, people should remain highly skeptical of the company's claim that the hashing it used made the passwords "indecipherable" and that the company does not believe user passwords have been compromised.

Anyone who has a DoorDash account should change their password to one that is strong and unique. Anyone who has used a DoorDash password to protect other sites should change those passwords as well.

DoorDash said it took actions to block the intruder's access after it discovered the breach earlier this month. That leaves open the possibility that the attackers had access for more than 4.5 months. Thursday's post didn't address this possibility, and the DoorDash spokeswoman declined to answer a question seeking clarification. DoorDash said people can call 855–646–4683 with questions.