DoorDash has disclosed a data breach that exposed the personal information of a subset of its customers and delivery drivers, known as Dashers. The company stated that the incident was the result of a sophisticated social engineering and phishing attack targeting a third-party vendor. The threat actors successfully used stolen credentials from the vendor’s employees to gain unauthorized access to some of DoorDash’s internal tools.

The company confirmed that the breach was part of a wider campaign that also targeted other organizations, including Twilio and Cloudflare. The phishing scheme involved tricking employees of the third-party vendor into providing their login credentials on a fraudulent website that mimicked the legitimate login page.

Scope of the Data Exposure

According to DoorDash’s official notice, the unauthorized party accessed information belonging to a “small percentage” of individuals. For affected customers, the exposed data included names, email addresses, delivery addresses, and phone numbers. For some customers, order information and partial payment card details, specifically the card type and the last four digits of the card number, were also accessed.

For the impacted Dashers, the accessed information included names, phone numbers, and email addresses. DoorDash has explicitly stated that more sensitive information was not compromised. This includes full payment card numbers, bank account details, or Card Verification Values (CVV). Additionally, user passwords were not accessed as part of this incident.

DoorDash’s Response to the Incident

Upon detecting the unusual and suspicious activity from its third-party vendor, DoorDash’s security team took immediate action to disable the vendor’s access to its systems. The company reported that it has since implemented additional enhanced security controls and is working with law enforcement and cybersecurity experts to investigate the matter further. DoorDash is in the process of directly notifying the individuals whose information was affected by this security breach.

This is not the first security incident for the company; DoorDash previously suffered a significant data breach in 2019 that impacted 4.9 million people.