DoorDash in a blog post related to the data leak, states, “We recently became aware that a third-party vendor was the target of a sophisticated phishing campaign and that certain personal information maintained by DoorDash was affected.” This is actually quite common, where big companies who outsource work to smaller firms are affected when the third-party vendors are targeted. These third-party vendors are often smaller companies, having fewer security controls than their bigger business partners. And as it is with cybercriminals, they tend to go for the Achilles heel. DoorDash found out about the data breach when they detected unusual activity from their third-party vendor’s computer. They then swiftly disabled the vendor’s access to their system. The company, after an investigation, claimed that the third-party vendor was compromised through a phishing attack, and the attackers were then able to access some of DoorDash’s internal tools.
DoorDash Hack Part of a Bigger Phishing Campaign
According to DoorDash, the information that leaked was limited to user name, email address, delivery address and phone number. For a small section of users, some basic order information and a section of their card number was also compromised. Apart from users, even delivery partners were affected, and the attackers were able to access some names, phone numbers and email addresses. Recently we reported on a very similar attack where Signal users were affected in a data breach. The breach was through a third-party phone number verification service, Twilio. Turns out, even the DoorDash data leak is related to Twilio. As DoorDash spokesperson Justin Crowley confirmed to TechCrunch, the recent vendor breach was related to the sophisticated phishing attack on Twilio. As the TechCrunch article further states, these attacks can be traced back to the same hacking group “0ktapus”. Group-IB even made its research on the hacking group publicly available, and you can visit this link for more information.