DoorDash data breach leaves important customer details exposed

NelsonG · August 29, 2022

Doordash Inc. application is displayed in the App Store on a smartphone

Food delivery giant DoorDash has confirmed a data breach that has left customers' personal information exposed to hackers, the company announced in a statement Wednesday.

DoorDash stated that an "undisclosed number of customers had their names, email addresses, delivery addresses, phone numbers, and partial payment card numbers" stolen. For drivers with the company, hackers were able to access names, phone numbers, and email address information.

In its statement, DoorDash explained that the breach was the result of a third-party vendor that was hacked through a sophisticated phishing campaign. Employees of the vendor had credentials that were stolen that were then used to access DoorDash's internal tools. The company said it cut off the third-party vendor’s access to its systems after discovering “unusual and suspicious” activity.

DoorDash did not state any timeline of discovery of the breach. A spokesperson with DoorDash told TechCrunch that the company took time to "fully investigate what happened, which users were impacted and how they were impacted” before disclosing the data breach."

SEE ALSO: Apple security flaw may allow hackers full control of devices, company warns

According to TechCrunch, DoorDash did not name the third-party vendor but did confirm the company was reached by the same bad actors that compromised SMS communication company Twilio earlier this month. Other companies affected by the Twilio hack include the authentication service Okta; messaging platform Signal; and password manager LastPass. The CEO of LastPass Karim Toubba confirmed in a letter that hackers stole source code and proprietary information but found "no evidence the incident exposed any customer data or passwords."

A Twilio spokesperson confirmed in an email to Mashable that it was not the third-party vendor responsible for the DoorDash breach.

DoorDash confirmed in its statement that information like passwords, full payment card numbers, bank account numbers, or Social Security or Social Insurance numbers were not accessed. Furthermore, the company told TechCrunch that it's hired an unnamed cybersecurity expert to help investigate the compromise and further strengthen the company's security systems.

"We value the trust we’ve built with each and every member of the DoorDash community and protecting our platform and your personal information is a top priority for DoorDash," the company's statement read. "We sincerely regret that this attack occurred."

Previously in 2019, hackers stole customer data from DoorDash, resulting in 4.9 million customers, drivers, and merchants having their information compromised. The company also blamed the attack on an unnamed third-party vendor.

UPDATE: Aug. 28, 2022, 7:15 p.m. CDT This article was updated to clarify that the Twilio hack was not responsible for the DoorDash breach.

View the full article