DoorDash has confirmed that a recent data breach led to the loss of some customers’ personal information – and that the incident is tied to the same ‘0ktapus’ hackers who recently swiped customer data from communications giant Twilio.
The giant food delivery company, acknowledged that the intrusion was tied to a third-party vendor that had earlier been hacked itself.
“We recently became aware that a third-party vendor was the target of a sophisticated phishing campaign and that certain personal information maintained by DoorDash was affected,” the company said.
“Importantly, the phishing campaign did not compromise sensitive information and we have no reason to believe that affected personal information has been misused for fraud or identity theft at this time. “
But the company did concede the cybercriminals got hold of some information.
“For consumers, the information accessed by the unauthorized party primarily included name, email address, delivery address and phone number,” DoorDash said.
“For a smaller set of consumers, basic order information and partial payment card information (ie, the card type and last four digits of the card number) was also accessed.”
Referring to delivery people, the company added: “For Dashers, the information accessed by the unauthorised party primarily included name and phone number or email address."
"The information affected for each impacted individual may vary.”
The company said that it is contacting “certain affected DoorDash users where required.”
DoorDash has also contacted law-enforcement officials.
In a statement issued to CRN by DoorDash spokesman Julian Crowley, the company bluntly laid blame for the incident on the so-called “0ktapus” hacker campaign that’s recently been tied to the breach at Twilio.
“We can confirm the incident is connected to a wider, sophisticated phishing campaign that has targeted several other companies,” DoorDash said.
"The advanced tactics used in this incident are identical to the tactics used against several other companies.”
DoorDash said that it had “recently detected unusual and suspicious activity from a third-party vendor’s computer network."
"In response, we swiftly disabled the vendor’s access to our system and contained the incident.”
DoorDash, did not disclose the name of the third-party vendor and added: “Based on our investigation, we determined the vendor was compromised by a sophisticated phishing attack.
"The unauthorised party used the stolen credentials of vendor employees to gain access to some of our internal tools.”