‘Unusual Activity’ By Third-Party Service Provider to Blame
Food delivery firm DoorDash says its customer and employees’ data was compromised by the recent phishing attack on its third-party service provider.
See Also: Data Sharing Espionage: A Fraud Discussion
DoorDash says it experienced “unusual and suspicious activity” on its third-party vendor’s computer network that was a victim of a sophisticated phishing campaign.
“We swiftly disabled the vendor’s access to our system and contained the incident,” the company says. “The phishing campaign did not compromise sensitive information and we have no reason to believe that affected personal information has been misused for fraud or identity theft at this time.”
The unauthorized attacker used the stolen credentials of a vendor employee to gain access to some of their internal tools that had access to DoorDash’s employees and customer data.
The compromised data included name, email address, delivery address and phone number for consumers and a small set of consumers’ basic order information and partial payment card information including the card type and last four digits of the card number were also accessed.
However, for employees of DoorDash, the compromised information includes name and phone number or email address. However, the company says no passwords, full payment card numbers, bank account numbers, or Social Security or Social Insurance numbers were compromised in the attack.
“We have also shared security alerts with other third-party vendors detailing the specific tactics used and reminded employees and third-party vendors to be on alert for any suspicious activity,” the company says.
The company in its notification says that it is working with an unnamed cybersecurity firm to assist with their ongoing investigation and is notifying affected individuals whose information DoorDash maintains and relevant data protection authorities.
The company did not respond to Information Security Media Group’s request for additional details.
Massive Phishing Effort
DoorDash did not name the affected third-party company, but says that the campaign’s tactics look like a wider ongoing phishing campaign that targeted several organizations recently.
“The advanced tactics used appear to be connected to a wider phishing campaign that has targeted a number of other companies. We understand that law enforcement is aware of this campaign and is actively investigating. We have contacted them to offer our support,” the company says.
A report by the TechCrunch says that DoorDash’s spokesperson Justin Crowley confirmed that the vendor breach is linked to recent phishing attack on the customer engagement platform Twilio on August 4.
This ongoing phishing campaign codenamed 0ktapus has stolen nearly 10,000 credentials at 130 organizations, including Twilio and email service provider Mailchimp.
Cybersecurity firm Group-IB says it’s been tracking the campaign and tied it to the recent attacks. Following a trail of Telegram accounts, researchers say they were also able to identify one of its administrators, “allegedly a 22-year-old software developer” living in North Carolina. (see: Twilio and Mailchimp Breaches Tie to Massive Phishing Effort).
The phishing campaign involves sending SMS messages to targets to trick them into visiting a fake but real-looking Okta login page that captures their one-time code. Group-IB says it’s not clear how attackers got contact details for their initial targets, although they began “targeting mobile operators and telecommunications companies,” meaning that “chances are, some phone numbers may have been obtained from those initial attacks.”
This is not the first time DoorDash has been subjected to a cyberattack. In 2019, DoorDash reported 4.9 million customer, contactor and merchant records were breached after “unusual activity” by a third-party service provider. (See: DoorDash Says 4.9 Million Records Breached).
The breach affected those who signed up for DoorDash before April 5, 2018. The leaked data included profile information, which would include names, email addresses, delivery addresses, order histories, phone numbers and hashed and salted passwords.
Some consumers had the last four digits of their payment cards leaked, but the full payment card number and CVV were not exposed. “The information accessed is not sufficient to make fraudulent charges on your payment card,” DoorDash said.