In a blog post, food delivery giant DoorDash announced that the company experienced a data breach, which compromised customers' personal information.
According to a report by Bloomberg, names, phone numbers, emails, and delivery addresses of customers where compromised in a hacking incident.
DoorDash Claimed They 'Contained the Incident'
According to DoorDash, the hackers were able to obtain access to some of the company's internal tools using a phishing attach on a third party vendor.
Furthermore, the company said that the hackers used the stolen credentials of vendor employees in order to obtain access to some of their internal tools.
"DoorDash recently detected unusual and suspicious activity from a third-party vendor's computer network," reads the blog post from DoorDash.
According to the company, upon noticing the unusual activity, they quicky disabled the vendor's access to their system and "contained the incident."
The hackers were able to access personal information of DoorDash customers.
In addition, the hackers has accessed partial payment card information, such as card type and the last four digits of the card number of the "smaller subset" of users.
But DoorDash said that based on their investigation, the hackers were not able to access passwords, full payment card numbers, bank account numbers, or Social Security or Social Insurance numbers.
TechCrunch said that the company claims that only a "small percentage" of users were affected by the incident. However, DoorDash did not reveal an exact number of affected users.
DoorDash did not reveal the name of the third-party vendor, which "provides services that require limited access to some internal tools," TechCrunch said.
However, the company's spokesperson Justin Crowley, verified that the vendor breach is connected to the phishing campaign that "compromised SMS and messaging giant Twilio" on August 4.
According to TechCrunch, the attack on DoorDash is linked to a wider phishing campaign by the hacking group, dubbed as "0ktapus."
The said hacking group has stolen around 10,000 employee credentials from around 130 organizations, such as Twilio, Signal, internet companies and outsourced customer service providers.
Read Also: DoorDash Reportedly Forces All Employees To Do Deliveries Under WeDash Employee Immersion Progam
DoorDash Enhances its Security Systems
The company did not divulged when it found out about the data breach. According to Crowley, before announcing the data breach, DoorDash took time to "fully investigate what happened, which users were impacted and how they were impacted."
Since the discovery of the data breach, DoorDash hired an unnamed cybersecurity expert to help the company with its ongoing investigation. The company is also taking immediate action to further enhance its security systems.
According to DoorDash, they have also shared security alerts with other third-party vendors specifying the specific tactics used by the hackers. Employees and third-party vendors are also reminded to be on alert for any suspicious activity.
This incident is not first time that DoorDash experienced a data breach. The company also experienced a data breach in 2019, which affected 4.9 million customers, delivery workers and merchants. The hackers stolen their information.
Just like what happened this time, DoorDash also blamed the data breach on an unnamed third-party service provider.
Related Article: DoorDash Can Now Deliver Your Facebook Marketplace Orders Straight to You
