DoorDash data breach leaves important customer details exposed
Food delivery giant DoorDash has confirmed a data breach that left customers’ personal information vulnerable to hackers, the company announced in a statement Wednesday.
DoorDash stated that an “unknown number of customers had their names, email addresses, shipping addresses, phone numbers and partial payment card numbers” stolen. For drivers with the company, hackers were able to access names, phone numbers and email address information.
In its statement, DoorDash explained that the breach was the result of a third-party vendor being hacked through a sophisticated phishing campaign. Employees of the vendor had credentials that were stolen which were then used to access DoorDash’s internal tools. The company said it cut off the third-party vendor’s access to its systems after detecting “unusual and suspicious” activity.
DoorDash did not provide a timeline for the discovery of the breach. A spokesperson for DoorDash told TechCrunch that the company took time to “fully investigate what happened, which users were affected and how they were affected” before disclosing the data breach.
Apple’s security flaw could allow hackers full control of devices, the company warns
According to TechCrunch, DoorDash did not name the third-party provider, but confirmed that the company was reached by the same bad actors that compromised SMS communications company Twilio earlier this month. Other companies affected by the Twilio hack include authentication service Okta; messaging platform Signal; and password manager LastPass. LastPass CEO Karim Toubba confirmed in a letter that hackers stole source code and proprietary information, but found “no evidence that the incident exposed customer data or passwords.”
A Twilio spokesperson confirmed in an email to Mashable that the third-party vendor was not responsible for the DoorDash breach.
DoorDash confirmed in its statement that information such as passwords, full payment card numbers, bank account numbers or social security numbers or social security numbers were not accessed. Furthermore, the company told TechCrunch that it has hired an unnamed cybersecurity expert to help investigate the compromise and further strengthen the company’s security systems.
“We value the trust we’ve built with each and every member of the DoorDash community, and protecting our platform and your personal information is a top priority for DoorDash,” the company’s statement said. “We sincerely apologize that this attack occurred.”
Earlier in 2019, hackers stole customer data from DoorDash, resulting in 4.9 million customers, drivers and salespeople being compromised. The company also blamed the attack on an unnamed third-party vendor.
UPDATE: August 28, 2022, 7:15 PM CDT This article was updated to clarify that the Twilio hack was not responsible for the DoorDash breach.