On Thursday, DoorDash announced in a blog post that an “unauthorized third party” had accessed user data of approximately 4.9 million “consumers, Dashers, and merchants.” DoorDash said names, email addresses, delivery addresses, order histories, phone numbers, and hashed, salted passwords all “could” have been accessed. But it’s not clear what, if anything, might have been done with the data by the third party.

Some financial information was also accessed. DoorDash said that “for some consumers,” the last four digits of payment cards were accessed, but full card numbers and CCV numbers were not. In addition, some couriers and merchants also had the last four digits of their bank account numbers accessed. Approximately 100,000 of the company’s delivery workers had their driver’s licenses compromised as well.

DoorDash said the data was accessed on May 4th, but the company did not discover the breach until sometime after it began an investigation earlier this month of “unusual activity involving a third-party service provider.” The company is informing customers affected by the breach now. The breach is believed to have primarily targeted DoorDash users who signed up on or before April 5th, 2018, although the company recommends changing your password regardless of when you signed up, “out of an abundance of caution.”

The breach comes about a year after some DoorDash customers said their accounts had been hacked, but DoorDash told TechCrunch at the time that there had not been a data breach. We’ve reached out to DoorDash for comment and will update this article with anything we hear.

Correction, 6:52 PM ET: The breach is believed to have primarily targeted DoorDash users who signed up on or before April 5th, 2018, not just those who signed up before April 5th, 2018, as we originally stated.