DoorDash customer data hit in phishing attack

Delivery and takeout firm DoorDash has had some of its customer data accessed as the result of a phishing attack, it has confirmed. 

In a blog post, the company said it was the latest to be affected by the knock-on effects of a cyberattack that hit Twilio earlier this month.

DoorDash said that when the unknown attackers breached Twilio’s endpoints, they stole login credentials that some Twilio employees used to access certain DoorDash tools. Using those credentials, the attackers proceeded to access sensitive data it was holding.

Passwords and payment data safe

The company did not give out the specific number of users affected by the breach asides from saying a “small percentage” of individuals could be impacted, but did confirm what data was accessed.

“For consumers, the information accessed primarily included name, email address, delivery address, and phone number,” the blog reads. “For a smaller set of consumers, basic order information and partial payment card information (i.e., the card type and last four digits of the card number) was also accessed. For Dashers, the information accessed by the unauthorized party primarily included name and phone number or email address.” 

Passwords, full payment card numbers, bank account numbers, Social Security numbers, and Social Insurance numbers, were not accessed, the company confirmed, also adding that it found no evidence of the compromised data being used for fraud or identity theft.

To mitigate the issue, DoorDash blocked Twilio’s access to its systems for the time being. It also said it “further enhanced” its security systems, as well as its third-party vendor’s security systems, without detailing exactly what was done. 

“We have also shared security alerts with other third-party vendors detailing the specific tactics used and reminded employees and third-party vendors to be on alert for any suspicious activity.”

The company also brought in a cybersecurity firm to assist with the ongoing investigation, notified its users, and contacted law enforcement.