Breach Notification , Cybercrime , Cybercrime as-a-service

Twilio-Linked Phishing Campaign Also Targets DoorDash

'Unusual Activity' By Third-Party Service Provider to Blame
Twilio-Linked Phishing Campaign Also Targets DoorDash

Food delivery firm DoorDash says its customer and employees' data was compromised by the recent phishing attack on its third-party service provider.

See Also: Webinar | Don't Get Hacked in the Cloud: The Essential Guide to CISOcial Distancing

DoorDash says it experienced "unusual and suspicious activity" on its third-party vendor's computer network that was a victim of a sophisticated phishing campaign.

"We swiftly disabled the vendor's access to our system and contained the incident," the company says. "The phishing campaign did not compromise sensitive information and we have no reason to believe that affected personal information has been misused for fraud or identity theft at this time."

The unauthorized attacker used the stolen credentials of a vendor employee to gain access to some of their internal tools that had access to DoorDash's employees and customer data.

The compromised data included name, email address, delivery address and phone number for consumers and a small set of consumers' basic order information and partial payment card information including the card type and last four digits of the card number were also accessed.

However, for employees of DoorDash, the compromised information includes name and phone number or email address. However, the company says no passwords, full payment card numbers, bank account numbers, or Social Security or Social Insurance numbers were compromised in the attack.

"We have also shared security alerts with other third-party vendors detailing the specific tactics used and reminded employees and third-party vendors to be on alert for any suspicious activity," the company says.

The company in its notification says that it is working with an unnamed cybersecurity firm to assist with their ongoing investigation and is notifying affected individuals whose information DoorDash maintains and relevant data protection authorities.

Massive Phishing Effort

DoorDash's spokesperson Justin Crowley confirmed that the vendor breach is linked to the phishing attack on the customer engagement platform Twilio on Aug. 4.

"We can confirm the incident is connected to a wider phishing campaign that has targeted several other companies. The advanced tactics used in this incident are identical to the tactics used against several other companies," Crowley says.

This ongoing phishing campaign codenamed 0ktapus has stolen nearly 10,000 credentials at 130 organizations, including Twilio and email service provider Mailchimp.

Cybersecurity firm Group-IB says it's been tracking the campaign and tied it to the recent attacks. Following a trail of Telegram accounts, researchers say they were also able to identify one of its administrators, "allegedly a 22-year-old software developer" living in North Carolina (see: Twilio and Mailchimp Breaches Tie to Massive Phishing Effort).

The phishing campaign involves sending SMS messages to targets to trick them into visiting a fake but real-looking Okta login page that captures their one-time code. Group-IB says it's not clear how attackers got contact details for their initial targets, although they began "targeting mobile operators and telecommunications companies," meaning that "chances are, some phone numbers may have been obtained from those initial attacks."

This is not the first time DoorDash has been subjected to a cyberattack. In 2019, DoorDash reported 4.9 million customer, contactor and merchant records were breached after "unusual activity" by a third-party service provider (see: DoorDash Says 4.9 Million Records Breached).

The breach affected those who signed up for DoorDash before April 5, 2018. The leaked data included profile information, which would include names, email addresses, delivery addresses, order histories, phone numbers and hashed and salted passwords.

Some consumers had the last four digits of their payment cards leaked, but the full payment card number and CVV were not exposed. "The information accessed is not sufficient to make fraudulent charges on your payment card," DoorDash said.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.