DoorDash hit by data breach linked to Twilio hackers
Food delivery giant DoorDash has confirmed a data breach that exposed customers’ personal information. In a blog post shared with TechCrunch ahead of its publication at market close, DoorDash said malicious hackers stole credentials from employees of a third-party vendor that were then used to gain access to some of DoorDash’s internal tools. DoorDash said […]
Hackers accessed DoorDash customer information and some partial payment data
Food delivery giant DoorDash has confirmed a data breach that exposed customersâ personal information.
In a blog post shared with TechCrunch ahead of its publication at market close, DoorDash said malicious hackers stole credentials from employees of a third-party vendor that were then used to gain access to some of DoorDashâs internal tools.
DoorDash said the attackers accessed names, email addresses, delivery addresses and phone numbers of DoorDash customers. For a âsmaller subsetâ of users, hackers accessed partial payment card information, including card type and the last four digits of the card number.
For DoorDash delivery drivers, or Dashers, hackers accessed data that âprimarily included name and phone number or email address.â Users of Wolt, the Helsinki-based online ordering and delivery company acquired by DoorDash last year, are unaffected.
DoorDash says that a âsmall percentageâ of users were affected by the incident but declined to say how many users it currently has or provide an accurate number of affected users.
The company said it cut off the third-party vendorâs access to its systems after discovering âunusual and suspiciousâ activity.
DoorDash did not name the third-party vendor, which âprovides services that require limited access to some internal tools,â according to DoorDash spokesperson Justin Crowley, but confirmed to TechCrunch that the vendor breach is linked to the phishing campaign that compromised SMS and messaging giant Twilio on August 4. Researchers linked these attacks to a wider phishing campaign by the same hacking group, dubbed â0ktapus,â which has stolen close to 10,000 employee credentials from at least 130 organizations, including Twilio, Signal, internet companies and outsourced customer service providers, since March.
DoorDash would not say when it discovered it was compromised, but its spokesperson said that the company took time to âfully investigate what happened, what users were impacted and how they were impactedâ before disclosing the data breach.
DoorDash says that since discovering the compromise the company hired an unnamed cybersecurity expert to help with its ongoing investigation and is taking action to âfurther enhance DoorDashâs already robust security systems.â
This isnât the first time that hackers have stolen customer data from DoorDashâs systems. In 2019, the company reported a data breach affecting 4.9 million customers, delivery workers and merchants who had their information stolen by hackers. It also blamed the breach on an unnamed third-party service provider.
Read more:
From the archives: