DoorDash affected by data breach traced to Twilio hackers

Food delivery goliath DoorDash has confirmed a data breach that exposed customers’ personal information.

In a blog post, DoorDash said malicious cybercriminals stole credentials from employees of a third-party vendor that were subsequently used to gain access to some of the company’s internal tools.

DoorDash said the attackers accessed the names, email addresses, phone numbers, and delivery addresses of DoorDash users. For a smaller number of users, the cybercriminals accessed partial payment card information, including card type and the last four digits of the card.

For DoorDash’s “Dashers,” cybercriminals accessed data that primarily included a name, phone number, or email address. Users of Wolt, the Helsinki, Finland-based online ordering, and the delivery company acquired by DoorDash last year are unaffected.

DoorDash said that a small percentage of users were affected by the incident but declined to state an accurate number of affected users explicitly.

DoorDash did not name the third-party vendor that provided services requiring limited access to some internal tools. Researchers linked these attacks to a broader phishing scandal by the same hacking group, nicknamed “0ktopus,” which has stolen nearly 10,000 employee credentials from at least 130 organizations, including Twilio, Signal, internet firms, and outsourced customer service providers, since March 2022.

This is not the first time hackers have stolen DoorDash’s customer data. In 2019, the firm reported a data breach affecting 4.9 million customers, merchants, and delivery workers who had their information stolen by hackers. It also blamed the breach on unnamed third-party service providers.