DoorDash data breach exposes customer details

A Nascar racing car driving past a large banner sign displaying the DoorDash logo

American food delivery giant DoorDash has confirmed it was hit by a data breach, after discovering suspicious activity from a third-party vendor’s network.

Per reports, the modus operandi was a sophisticated phishing campaign. Perpetrators leveraged vendor's stolen network credentials to gain access to DoorDash’s internal tools, the company stated.

RELATED RESOURCE

Escape the ransomware maze

Conventional endpoint protection tools just aren’t the best defence anymore

FREE DOWNLOAD

Following a preliminary investigation, the firm confirmed certain personal information of customers has been exposed. However, DoorDash affirms, as of now, customers’ personal information has not been abused for fraud or identity theft.

Name, email address, delivery address, and phone numbers are among the personally identifiable information disclosed. Basic order information and partial payment card information of select customers were also exposed.

DoorDash confirmed the data breach does not include passwords, full payment card numbers, bank account numbers, or Social Security or Social Insurance numbers.

To thwart further activities by perpetrators, DoorDash temporarily disabled the vendor’s access to its system. The firm also concluded the attack is tied to a wider phishing campaign that has targeted several other companies.

“While the incident was the result of a phishing attack targeted at a third party, we took action to further enhance DoorDash’s already robust security systems, as well as our third-party vendor’s security systems,” said DoorDash.

“We have also shared security alerts with other third-party vendors detailing the specific tactics used and reminded employees and third-party vendors to be on alert for any suspicious activity.”