Hackers gained access to DoorDash customer information and some partial payment details
Meal Delivery Giant DoorDash has confirmed a data breach exposing customers’ personal information.
In a blog post shared with londonbusinessblog.com ahead of its release at market close, DoorDash said malicious hackers stole credentials from employees of a third-party vendor that were then used to access some of DoorDash’s internal tools.
DoorDash said the attackers had access to the names, email addresses, delivery addresses and phone numbers of DoorDash customers. For a “smaller subset” of users, hackers have been able to access partial payment card information, including card type and the last four digits of the card number.
For DoorDash deliverers or Dashers, hackers have gained access to data that “mainly includes name and phone number or email address”. Users of Wolt, the Helsinki-based online ordering and delivery company acquired by DoorDash last year, will not be affected.
DoorDash says a “small percentage” of users were affected by the incident, but declined to say how many users it currently has or give an accurate number of affected users.
The company said it had shut down the third-party vendor’s access to its systems after discovering “unusual and suspicious” activity.
DoorDash did not name the third-party vendor, which “provides services that require limited access to some internal tools,” said DoorDash spokesperson Justin Crowley, but confirmed to londonbusinessblog.com that the vendor’s breach is related to the phishing campaign that targets text and messaging. jeopardized giant Twilio on August 4. Researchers linked these attacks to a broader phishing campaign by the same hacking group called “0ktapus,” which has stolen nearly 10,000 employee credentials from at least 130 organizations, including Twilio, Signal, internet companies and outsourced customer service providers, since March.
DoorDash wouldn’t say when it discovered it had been hacked, but the spokesperson said the company took the time to “fully investigate what happened, which users were affected and how they were affected” before making the data breach public.
DoorDash says that since the discovery of the compromise, the company has hired an unnamed cybersecurity expert to assist with the ongoing investigation and is taking action to “further improve DoorDash’s already robust security systems.”
This isn’t the first time hackers have stolen customer data from DoorDash’s systems. In 2019, the company reported a data breach affecting 4.9 million customers, deliverers and merchants whose information was stolen by hackers. It also blamed an unnamed third-party service provider.
From the archives: