DoorDash Inc. on Thursday reported a data breach affecting its customers and delivery workers that stems from a phishing attack on a third-party vendor.
The app-based delivery platform said the information accessed included customer names, email addresses, delivery addresses and phone numbers, as well as order information and partial payment-card information. Names, phone numbers or email addresses of DoorDash
workers were also compromised, according to a company blog post.
DoorDash said in its blog post that the number affected represented “a small percentage” of individuals whose information it holds. When reached Thursday, a company spokesman would not give a more specific number.
DoorDash also said in its blog post that according to its investigation of this latest breach, it does not appear that passwords, full payment-card numbers, bank account numbers, or Social Security or Social Insurance numbers were accessed. The company spokesman said that because of that, and the fact that the company does not believe any affected personal information has been misused for fraud or identity theft so far, DoorDash is notifying users only where required.
DoorDash said it investigated the breach and determined that “the unauthorized party used the stolen credentials of vendor employees to gain access to some of our internal tools.” The company spokesman confirmed that it is related to a bigger attack that has affected Twilio Inc.
and a number of other companies, though it did not identify the third-party vendor.
Twilio, a company that facilitates communications between customers and companies, disclosed a phishing attack earlier this month. On Wednesday, Twilio said in a blog post that more than 160 of its customer companies had their data accessed, and that it has notified them all. Among the other companies affected include content delivery network Cloudflare Inc.
and messaging app Signal, according to TechCrunch, which also reported that the broader attack compromised the credentials of almost 10,000 employees across the affected companies.
In 2019, DoorDash disclosed a data breach affecting 4.9 million people, which it also attributed to a third party.
DoorDash has set up a phone number for U.S. and Canadian consumers and drivers to call if they want more information: (833) 559-0221, which is available Monday to Friday from 6 a.m. to 8 p.m. Pacific time, and weekends from 8 a.m. to 5 p.m. Pacific.
See: How scammers target vulnerable gig workers, and why it may never end