Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

DoorDash Discloses Data Breach Related to Attack That Hit Twilio, Others

Food delivery company DoorDash revealed on Thursday that customer and employee data has been exposed as a result of a recent breach at a third-party vendor.

DoorDash said hackers abused a third-party vendor’s access to its systems. The attacker abused DoorDash’s internal tools and gained access to the information of ‘a small percentage of individuals’.

Food delivery company DoorDash revealed on Thursday that customer and employee data has been exposed as a result of a recent breach at a third-party vendor.

DoorDash said hackers abused a third-party vendor’s access to its systems. The attacker abused DoorDash’s internal tools and gained access to the information of ‘a small percentage of individuals’.

In the case of consumers, the compromised information includes names, email addresses, delivery addresses, and phone numbers. In some cases, partial payment card information (card type and last four digits of card number) and basic order information was also exposed.

In the case of Dashers — the people who make deliveries — the attacker accessed name and phone number or email address.

“Based on our investigation to date, the information accessed by the unauthorized party did not include passwords, full payment card numbers, bank account numbers, or Social Security or Social Insurance numbers,” DoorDash said.

The company added that it has “no reason to believe that affected personal information has been misused for fraud or identity theft.”

While the food delivery platform’s public security notice does not name the affected third-party vendor, the company has told the media that it’s related to the attack that also targeted Twilio. However, Twilio and DoorDash clarified that Twilio is not the third-party vendor in question. 

Twilio is one of the more than 130 companies targeted recently in a massive phishing campaign that leverages SMS-based messages to lure the employees of targeted organizations to phishing websites that instruct them to hand over their credentials.

The attackers appear to be mostly interested in Okta identity service credentials, which is why cybersecurity firm Group-IB has been tracking the campaign as 0ktapus.

According to Group-IB, the hackers appear to have obtained nearly 10,000 credentials, including from Cloudflare and Twilio.

While in the case of Cloudflare impact appears to have been limited by the attackers’ inability to bypass two-factor authentication, Twilio has confirmed that the incident has impacted at least 163 customers.

One of those impacted customers is the secure communications firm Signal, which reported recently that 1,900 of its users were impacted, with the attackers attempting to re-register their phone numbers to new devices.

Many of the victims of the 0ktapus campaign are organizations in the United States. Group-IB believes the attackers may have obtained the phone numbers to which they sent phishing messages after targeting mobile operators and telecom companies.

Based on the targets and the attackers’ actions, the cybersecurity firm believes the group is likely financially motivated.

*an earlier version of this article incorrectly stated that Twilio is the third-party vendor referenced in the DoorDash breach disclosure. Twilio has clarified that it is not the vendor in question. The headline has also been updated to reflect this.

Related: Cryptocurrency Services Hit by Data Breach at CRM Company HubSpot

Related: Microsoft, Okta Confirm Data Breaches Involving Compromised Accounts

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.