Hackers accessed undisclosed number of DoorDash customer's information and some partial payment data
According to a recent announcement from from DoorDash, malicious hackers stole credentials from employees of a third-party vendor that were then used to gain access to some of DoorDash’s internal tools.
DoorDash said the attackers accessed names, email addresses, delivery addresses and phone numbers of DoorDash customers. For a “smaller subset” of users, hackers accessed partial payment card information, including card type and the last four digits of the card number.
DoorDash says that a “small percentage” of users were affected by the incident but declined to say how many users it currently has or provide an accurate number of affected users.
DoorDash did not name the third-party vendor, which “provides services that require limited access to some internal tools,” according to DoorDash spokesperson Justin Crowley, but confirmed that the vendor breach is linked to the phishing campaign that compromised SMS and messaging giant Twilio on August 4th. Researchers linked these attacks to a wider phishing campaign by the same hacking group, dubbed “0ktapus,” which has stolen close to 10,000 employee credentials from at least 130 organizations, including Twilio, internet companies and outsourced customer service providers, since March.
This isn’t the first time that hackers have stolen customer data from DoorDash’s systems. In 2019, the company reported a data breach affecting 4.9 million customers, delivery workers and merchants who had their information stolen by hackers. It also blamed the breach on an unnamed third-party service provider.