Food delivery giant DoorDash has confirmed a data breach that has left customers’ personal information exposed to hackers, the company announced in a statement Wednesday.
DoorDash stated that an “undisclosed number of customers had their names, email addresses, delivery addresses, phone numbers, and partial payment card numbers” stolen. For drivers with the company, hackers were able to access names, phone numbers, and email address information.
In its statement, DoorDash explained that the breach was the result of a third-party vendor that was hacked through a sophisticated phishing campaign. Employees of the vendor had credentials that were stolen that were then used to access DoorDash’s internal tools. The company said it cut off the third-party vendor’s access to its systems after discovering “unusual and suspicious” activity.
DoorDash did not state any timeline of discovery of the breach. A spokesperson with DoorDash told TechCrunch that the company took time to “fully investigate what happened, which users were impacted and how they were impacted” before disclosing the data breach.”
According to TechCrunch, DoorDash did not name the third-party vendor but did confirm the attack was related to the phishing attack that compromised SMS communication company Twilio. Other companies affected by the Twilio hack include the authentication service Okta; messaging platform Signal; and password manager LastPass. The CEO of LastPass Karim Toubba confirmed in a letter that hackers stole source code and proprietary information but found “no evidence the incident exposed any customer data or passwords.”
DoorDash confirmed in its statement that information like passwords, full payment card numbers, bank account numbers, or Social Security or Social Insurance numbers were not accessed. Furthermore, the company told TechCrunch that it’s hired an unnamed cybersecurity expert to help investigate the compromise and further strengthen the company’s security systems.
“We value the trust we’ve built with each and every member of the DoorDash community, and protecting our platform and your personal information is a top priority for DoorDash,” the company’s statement read. “We sincerely regret that this attack occurred.”
Previously in 2019, hackers stole customer data from DoorDash, resulting in 4.9 million customers, drivers, and merchants having their information compromised. The company also blamed the attack on an unnamed third-party vendor.