DoorDash, a business that delivers food, disclosed on Thursday that a recent breach at a third-party vendor had exposed customer and staff data. According to DoorDash, hackers misused a vendor’s access to its networks. By abusing DoorDash’s internal tools, the attacker could access the data of “a small percentage of individuals.”
Customers’ names, email addresses, delivery addresses, and phone numbers are among the leaked data. In other instances, basic order details and partial payment card information (card type and last four digits of card number) were also disclosed. In the case of Dashers – those who make deliveries – the attacker gained access to the name, phone number, or email address.
“Based on our investigation to date, the information accessed by the unauthorized party did not include passwords, full payment card numbers, bank account numbers, or Social Security or Social Insurance numbers,” said DoorDash. The company further said that it has “no reason to believe that affected personal information has been misused for fraud or identity theft.”
Although the public security notice for the food delivery platform does not explicitly name the third-party vendor in question, the business has notified the media that it is connected to the incident that also hit Twilio. However, Twilio and DoorDash made it clear that Twilio is not the in-question third-party provider.
Twilio is one of more than 130 businesses that have lately been the subject of a huge phishing effort. This campaign uses SMS-based communications to trick workers of the targeted businesses into visiting phishing websites where they are asked to input their credentials. Security company Group-IB has been monitoring the effort under the handle 0ktapus since it looks like the attackers are primarily interested in credentials for the Okta identification service.
The hackers allegedly stole nearly 10,000 credentials, including those from Cloudflare and Twilio, claims Group-IB. Twilio has verified that the breach has affected at least 163 customers, although Cloudflare’s effect appears to have been restricted by the attackers’ failure to get beyond two-factor authentication. The encrypted communications company Signal is one of those affected clients. Signal recently stated that 1,900 users were affected, with the attackers trying to re-register their phone numbers to new devices.
Organizations in the United States make up a large portion of the 0ktapus campaign’s victims. Group-IB speculates that after focusing on mobile carriers and telecom firms, the attackers may have acquired the contact numbers to which they delivered phishing messages. The cybersecurity firm assumes the gang is likely financially motivated based on the targets and the attacks.