Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

DoorDash Discloses Data Breach Related to Attack That Hit Twilio, Others

Food delivery company DoorDash revealed on Thursday that customer and employee data has been exposed as a result of a recent breach at a third-party vendor.

DoorDash said hackers abused a third-party vendor’s access to its systems. The attacker abused DoorDash’s internal tools and gained access to the information of ‘a small percentage of individuals’.

Food delivery company DoorDash revealed on Thursday that customer and employee data has been exposed as a result of a recent breach at a third-party vendor.

DoorDash said hackers abused a third-party vendor’s access to its systems. The attacker abused DoorDash’s internal tools and gained access to the information of ‘a small percentage of individuals’.

In the case of consumers, the compromised information includes names, email addresses, delivery addresses, and phone numbers. In some cases, partial payment card information (card type and last four digits of card number) and basic order information was also exposed.

In the case of Dashers — the people who make deliveries — the attacker accessed name and phone number or email address.

“Based on our investigation to date, the information accessed by the unauthorized party did not include passwords, full payment card numbers, bank account numbers, or Social Security or Social Insurance numbers,” DoorDash said.

The company added that it has “no reason to believe that affected personal information has been misused for fraud or identity theft.”

While the food delivery platform’s public security notice does not name the affected third-party vendor, the company has told the media that it’s related to the attack that also targeted Twilio. However, Twilio and DoorDash clarified that Twilio is not the third-party vendor in question. 

Twilio is one of the more than 130 companies targeted recently in a massive phishing campaign that leverages SMS-based messages to lure the employees of targeted organizations to phishing websites that instruct them to hand over their credentials.

Advertisement. Scroll to continue reading.

The attackers appear to be mostly interested in Okta identity service credentials, which is why cybersecurity firm Group-IB has been tracking the campaign as 0ktapus.

According to Group-IB, the hackers appear to have obtained nearly 10,000 credentials, including from Cloudflare and Twilio.

While in the case of Cloudflare impact appears to have been limited by the attackers’ inability to bypass two-factor authentication, Twilio has confirmed that the incident has impacted at least 163 customers.

One of those impacted customers is the secure communications firm Signal, which reported recently that 1,900 of its users were impacted, with the attackers attempting to re-register their phone numbers to new devices.

Many of the victims of the 0ktapus campaign are organizations in the United States. Group-IB believes the attackers may have obtained the phone numbers to which they sent phishing messages after targeting mobile operators and telecom companies.

Based on the targets and the attackers’ actions, the cybersecurity firm believes the group is likely financially motivated.

*an earlier version of this article incorrectly stated that Twilio is the third-party vendor referenced in the DoorDash breach disclosure. Twilio has clarified that it is not the vendor in question. The headline has also been updated to reflect this.

Related: Cryptocurrency Services Hit by Data Breach at CRM Company HubSpot

Related: Microsoft, Okta Confirm Data Breaches Involving Compromised Accounts

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.