Food delivery service DoorDash has confirmed a data breach that exposed the personal information of a small percentage of its customers. The company stated the incident was the result of a sophisticated phishing attack that compromised a third-party vendor, giving threat actors access to some of DoorDash’s internal tools.
The company has begun directly contacting customers who were affected by this security event. This incident is linked to the same phishing campaign that also targeted the digital communications company Twilio, which provided services to DoorDash.
What Information Was Exposed?
According to DoorDash’s official statement, the unauthorized party was able to access sensitive customer data. The information exposed in the breach includes:
Customer names, email addresses, delivery addresses, and phone numbers.
For a smaller subset of affected customers, the breach also exposed basic order information and partial payment card information, specifically the card type and the last four digits of the card number. DoorDash has clarified that full payment card numbers, bank account numbers, and user passwords were not accessed or compromised during the incident.
Incident Response and Timeline
DoorDash was first alerted to the breach by its third-party vendor on August 4, 2022, after the vendor detected unusual and suspicious activity. Upon learning of the compromise, DoorDash stated it took immediate action to block the unauthorized access to its internal systems to prevent further data exposure.
The company is currently working with unnamed security experts to assist with its ongoing investigation and to further enhance its security protocols. DoorDash has also shared security tips and reminders with its user base via its website. This is not the first data breach for the company, which previously suffered a major incident in 2019 that affected 4.9 million people.
Concise Cyber 