Online food delivery service DoorDash says it's the victim of a data breach in which the personal information of 4.9 million people was stolen, including names, email addresses, delivery addresses, phone numbers, and partial banking and credit card details.

DoorDash, which allows people to order food from a website or smartphone to be delivered to them, said Thursday an "unauthorized third party" accessed some of the San Francisco-based company's user data on May 4.

As a result, information on customers, merchants and even some delivery drivers was stolen, including partial — but not complete — banking and credit card data, and driver's licence numbers for 100,000 delivery people.

The company said it has closed the access point the cybercriminals used, but the result is anyone who joined the service before April 5, 2018, is possibly impacted. Anyone who joined after that date is not.

Change passwords, DoorDash urges

DoorDash says it is in the process of contacting everyone affected, but as a precaution, it is encouraging all customers to change their passwords via a dedicated website.

The company operates in 4,000 cities, including 92 markets scattered across every Canadian province, so some Canadians are impacted.

But the company won't say how many, exactly.

"The overall proportion of users affected represents a small percentage of our community," spokesperson Mattie Magdovitz told CBC News.

"We remain wholly focused on our investigation and on doing the right thing for the DoorDash community, particularly those affected."