Food delivery company DoorDash revealed on Thursday that customer and employee data has been exposed as a result of a recent breach at a third-party vendor.
DoorDash said hackers abused a third-party vendor’s access to its systems. The attacker abused DoorDash’s internal tools and gained access to the information of ‘a small percentage of individuals’.
In the case of consumers, the compromised information includes names, email addresses, delivery addresses, and phone numbers. In some cases, partial payment card information (card type and last four digits of card number) and basic order information was also exposed.
In the case of Dashers — the people who make deliveries — the attacker accessed name and phone number or email address.
“Based on our investigation to date, the information accessed by the unauthorized party did not include passwords, full payment card numbers, bank account numbers, or Social Security or Social Insurance numbers,” DoorDash said.
The company added that it has “no reason to believe that affected personal information has been misused for fraud or identity theft.”
While the food delivery platform’s public security notice does not name the affected third-party vendor, the company has told the media that it’s related to the attack that also targeted Twilio. However, Twilio and DoorDash clarified that Twilio is not the third-party vendor in question.
Twilio is one of the more than 130 companies targeted recently in a massive phishing campaign that leverages SMS-based messages to lure the employees of targeted organizations to phishing websites that instruct them to hand over their credentials.
The attackers appear to be mostly interested in Okta identity service credentials, which is why cybersecurity firm Group-IB has been tracking the campaign as 0ktapus.
According to Group-IB, the hackers appear to have obtained nearly 10,000 credentials, including from Cloudflare and Twilio.
While in the case of Cloudflare impact appears to have been limited by the attackers’ inability to bypass two-factor authentication, Twilio has confirmed that the incident has impacted at least 163 customers.
One of those impacted customers is the secure communications firm Signal, which reported recently that 1,900 of its users were impacted, with the attackers attempting to re-register their phone numbers to new devices.
Many of the victims of the 0ktapus campaign are organizations in the United States. Group-IB believes the attackers may have obtained the phone numbers to which they sent phishing messages after targeting mobile operators and telecom companies.
Based on the targets and the attackers’ actions, the cybersecurity firm believes the group is likely financially motivated.
*an earlier version of this article incorrectly stated that Twilio is the third-party vendor referenced in the DoorDash breach disclosure. Twilio has clarified that it is not the vendor in question. The headline has also been updated to reflect this.