On Thursday, food delivery giant DoorDash disclosed that customer and employee data was exposed after a third-party vendor became the victim of a data breach.

The company shared in a blog post that malicious hackers managed to steal the third-party employee credentials and used them to access some internal tools of DoorDash.

The vendor, according to DoorDash, offers services requiring limited access to some of the company’s internal tools. 

What Data was Exposed?

According to DoorDash, the attackers stole the email addresses, names, phone numbers, and delivery addresses of DoorDash customers. Payment card data of a small subset of its customers was accessed as well, which includes card type and card number’s last four digits.

It must be noted that users of Wolt, another online ordering/delivery service acquired by DoorDash in 2021, weren’t impacted by this breach.

“Based on our investigation to date, the information accessed by the unauthorized party did not include passwords, full payment card numbers, bank account numbers, or Social Security or Social Insurance numbers.”

DoorDash

DoorDash also noted that there wasn’t any evidence that exposed personal data was misused in identity theft or fraud.

Source of the Breach?

In its public security notice, DoorDash didn’t name the impacted third-party vendor who became a data breach victim. The company noted that the attack on the third-party vendor was related to the recent phishing attack against Twilio.

However, it later clarified that Twilio wasn’t the impacted third-party vendor. For your information, on 4 August, Twilio was targeted in a large-scale phishing attack by hacking group 0ktapus.

The hackers used SMS-based messages to trap employees and redirect them to phishing websites where they were instructed to enter credentials.

Hackers Compromise Employee Accounts to Access Twilio Internal Systems
Text messages sent by hackers to Twilio’s former and current employees – Screengrab: Twilio

DoorDash’s spokesperson Justin Crowley didn’t disclose the number of users possibly impacted by this data breach. Crowley stated that they immediately cut off the link with the third-party vendor after discovering suspicious activity.

Furthermore, according to Crowley, DoorDash took some time to “fully investigate” the incident and determined how and who got impacted before publicly disclosing the breach. They have also hired cybersecurity experts to investigate further and enhance its security mechanism. The company has contacted law enforcement, too, to help them hold the perpetrators accountable.

  1. CIA failed to protect its sophisticated hacking tools from hackers
  2. Cisco Confirms Breach After Employee’s Google Account was Hacked
  3. Instagram’s download data tool exposed users’ passwords to public view
  4. Ex-employee hacked Cisco’s AWS Infrastructure; erased virtual machines
  5. Hackers used phone phishing on a Twitter employee to access internal tools

Posted by Charlie