The attacker used the stolen credentials from the vendor to access DoorDash’s customer data. Information such as users’ names, delivery addresses, email addresses, and phone numbers was leaked. The company has not disclosed the number of users affected, nor named the vendor, only stating that “a small number of individuals” were impacted. “Importantly, the phishing campaign did not compromise sensitive information and we have no reason to believe that affected personal information has been misused for fraud or identity theft at this time,” DoorDash said in a blog post on Thursday. The company said that law enforcement is actively investigating the campaign and has directly notified affected customers about the incident.
DoorDash Noticed Suspicious Activity from Vendor’s Network
The company recently noticed unusual activity from a third-party vendor’s computer network. Consequently, it disabled the vendor’s access to their system and prevented further damage. DoorDash conducted its own investigation and determined that a malicious actor used stolen credentials of the vendor’s employees to access DoorDash’s internal tools. As a result, the actor accessed the personal information of some of its customers. “For consumers, the information accessed by the unauthorized party primarily included name, email address, delivery address and phone number,” the company stated. DoorDash clarified that the actor did not access any of its users’ passwords, complete payment card numbers, bank account numbers, social security numbers, or social insurance numbers. “For a smaller set of consumers, basic order information and partial payment card information (i.e., the card type and last four digits of the card number) was also accessed. For Dashers, the information accessed by the unauthorized party primarily included name and phone number or email address. The information affected for each impacted individual may vary,” it added.
DoorDash’s Response to the Incident
Despite the incident affecting a third-party vendor, DoorDash said it has taken action to enhance its own security systems. Additionally, it shared security alerts with its other vendors which contained information on watching out for social engineering attacks. The company also said it has brought in a leading cybersecurity firm to help out with its investigation and has been in contact with law enforcement. As mentioned earlier, DoorDash is notifying affected users, as well as the relevant data protection authorities. “At DoorDash, a core value is getting 1% better every day. We will continue to work with external experts to further enhance the security of our systems,” the company stated.
Breach Tied to Twilio Social Engineering Attack
Notably, DoorDash did not reveal the vendor’s name in its statement. However, company spokesperson Justin Crowley told TechCrunch that the incident has ties to the Twilio breach earlier this month. Cybercriminals carried out a successful social engineering attack against Twilio, gaining access to their internal network as well as customer accounts. The incident affected 163 Twilio customers, which included several high-profile services, such as Signal, that have large user bases of their own. Popular cybersecurity company Cloudflare also reported facing a similar social engineering attack around the same time as Twilio, though it managed to thwart the attack. This isn’t the first cyber incident that DoorDash has experienced either. A 2019 data breach could have exposed the information of around 4.9 million customers, drivers and businesses.