DoorDash, the American online ordering and food delivery service company, recently revealed that it had suffered a data breach. The leak involved the exposure of both employee and customer data and has been linked to another major cyberattack.

Threat operators often single out firms to attack based on the type of data they retain and handle to operate. Personally identifiable information (PII) like the type exposed in the DoorDash Breach may be used to target data subjects in a range of fraudulent campaigns, or it may simply be sold to other malicious actors in online auctions on the dark web.

Disclosure of a data breach

In a recent security advisory released by DoorDash, the company explains that a threat operator gained access to its internal tools, employing stolen credentials from one of the firm’s third-party vendors that had access to its systems. The security notice commented:

“DoorDash recently detected unusual and suspicious activity from a third-party vendor’s computer network. In response, we swiftly disabled the vendor’s access to our system and contained the incident.”

The malicious actor responsible used these access rights to the delivery service’s internal tools to gain access to data of both DoorDash staff and customers.

The information exposed includes the full names, email and delivery addresses and telephone numbers of customers. Furthermore, for a small subset of its customer base, the hackers managed to access basic order information and some partial credit card details. This included the card type, along with the final four digits of the payment card number.

Data belonging to the company personnel (known by the company as Dashers), such as names, email addresses and phone numbers, may have been obtained by the threat actors.

While the food delivery firm does not mention the specific name of the third-party vendor in question, DoorDash commented to online periodical TechCrunch that the recent breach is linked to same malicious actors who were involved in the recent attack on the programmable telecommunication solutions company, Twilio.

This is not DoorDash’s first experience of a data breach. It suffered a breach back in 2019 that led to the exposure of nearly five million consumers’ data.

Part of a larger campaign

In early August, Twilio reported it was breached after several employees were fooled by a text-based phishing attack that empowered threat actors to gain access to internal tooling.

Utilising the access granted, the threat operators were able to access the data belonging to 163 Twilio customers and employ the data in other supply-chain type attacks.

A security advisory from Twilio explained:

“To date, our investigation has identified 163 Twilio customers – out of a total customer base of over 270,000 – whose data was accessed without authorisation for a limited period of time, and we have notified all of them.”

The fallout from the recent attack is still being realised, with Twilio recently disclosing that the hackers also managed to access 93 two-factor authentication accounts during the breach. Additionally, the breach also gave hackers to access to 1,900 users’ phone numbers.