The food delivery service DoorDash has announced a data breach affecting about 4.9 million consumers, merchants, and drivers.

DoorDash officials said the data breach occurred when an unauthorized user was able to access information such as consumers’ names, order histories, phone numbers, and the last four digits of credit card numbers along with partial numbers of merchant and drivers’ bank accounts and more than 100,000 delivery workers’ drivers’ license numbers through a third-party service provider.  The company has yet to name the third-party service provider.

In an official statement on the DoorDash blog, officials said: “We take the security of our community very seriously. Earlier this month, we became aware of unusual activity involving a third-party service provider. We immediately launched an investigation and outside security experts were engaged to assess what occurred. We were subsequently able to determine that an unauthorized third party accessed some DoorDash user data on May 4, 2019. We took immediate steps to block further access by the unauthorized third party and to enhance security across our platform. We are reaching out directly to affected users.”

Officials said users who joined DoorDash on or before April 5, 2018, were compromised in the breach. They said, while they do not believe passwords have been put at risk, they are recommending users reset their passwords to increase security.

The May data breach comes after numerous customers complained last year that their accounts had been compromised. At that time, the company said the accounts were being targeted by credential stuffing attacks.