US food delivery firm DoorDash has confirmed a phishing attack on a third-party vendor that exposed personal details of some its customers and drivers-by.
The company said, in a recent blog post, attackers accessed names, email addresses, delivery addresses and phone numbers of its customers. “Our investigation has determined that a small percentage of individuals whose data is maintained by DoorDash was affected in connection with this incident,” it said.
While the company declined to comment on how many users it currently has or provide an accurate number of affected users, it has cut off the third-party vendor’s access to its systems after discovering “unusual and suspicious” activity.
From the investigation, it is clear that the vendor too was compromised by a sophisticated phishing attack. In fact, a spokesperson confirmed to TechCrunch that the vendor breach is linked to the phishing campaign that compromised messaging giant Twilio on August 4.
Researchers linked these attacks to a wider phishing campaign by the same hacking group, dubbed “0ktapus,” which has stolen close to 10,000 employee credentials from at least 130 organisations, including Twilio, Signal, internet companies and outsourced customer service providers, since March.
DoorDash would not say when it discovered it was compromised, but its spokesperson said that the company took time to “fully investigate what happened, which users were impacted and how they were impacted” before disclosing the data breach.
Without naming the third-party vendor, DoorDash said that the “unusual and suspicious activity from a third-party vendor’s computer network prompted them to “swiftly disabled the vendor’s access to our system and contained the incident”.
The unauthorised party used the stolen credentials of vendor employees to gain access to some of our internal tools.
This isn’t the first time that hackers have stolen customer data from DoorDash’s systems. In September 2019, the company reported a data breach affecting 4.9 million customers, delivery workers and merchants who had their information stolen by hackers. It also blamed the breach on an unnamed third-party service provider.
Also, since the global pandemic, all online businesses are facing a spike in cyber threats and the online food delivery services and restaurant chains that are still offering online booking and home delivery services, also reeling under cybersecurity-related concerns. In May 2021, Pizza delivery service Dominos India became the victim of a massive data breach that exposed order details of 18 crore Pizza orders made via the service.
In April this year, Yandex Food, a popular food delivery service in Russia, had faced a cyber security incident that exposed personal information of 58,000 users.
In 30 June 2022, the UK's largest ready-meal provider, Wiltshire Farm Foods, confirmed that its systems have been crippled by a cyber-attack.