DoorDash has officially confirmed a data breach that exposed the personal information of customers and its delivery drivers, known as Dashers. The company stated the security incident was the result of a sophisticated phishing attack aimed at a third-party vendor.

The food delivery service announced that it detected suspicious activity from a third-party vendor’s network and immediately disabled the vendor’s access to its systems. The phishing campaign is reportedly linked to the same threat actor responsible for a recent breach at communications company Twilio.

Details of the Security Incident

The breach originated when malicious actors used stolen credentials from a third-party vendor’s employees to gain access to some of DoorDash’s internal tools. After identifying the unauthorized access, DoorDash took steps to block the intrusion and contain the impact.

In its official notice, DoorDash confirmed that it had hired a leading cybersecurity expert to assist in the ongoing investigation. The company has also reported the incident to law enforcement and relevant regulatory authorities.

Information Exposed and Company Response

For affected customers, the compromised data included names, email addresses, delivery addresses, and phone numbers. A smaller group of customers also had basic order information and partial payment card data exposed, limited to the card type and the last four digits of the card number.

For affected Dashers, the exposed information included names, phone numbers, and email addresses. DoorDash emphasized that sensitive data such as passwords, full payment card numbers, bank account numbers, or Social Security numbers were not accessed in the incident.

DoorDash has begun notifying the individuals impacted by the breach directly. The company is offering affected parties complimentary identity theft protection services and has published security resources on its website to help users protect their accounts.