DoorDash Breach Tied To ‘Oktapus’ Hackers Who Broke Into Twilio And Other Organizations

The giant food delivery company said there’s ‘no reason to believe that affected personal information has been misused for fraud or identity theft at this time.’

DoorDash has confirmed that a recent data breach led to the loss of some customers’ personal information – and that the incident is tied to the same ‘Oktapus’ hackers who recently swiped customer data from communications giant Twilio.

In a blog post, DoorDash, the giant food delivery company, acknowledged that the intrusion was tied to a third-party vendor that had earlier been hacked itself.

“We recently became aware that a third-party vendor was the target of a sophisticated phishing campaign and that certain personal information maintained by DoorDash was affected,” the company said in the blog post.
“Importantly, the phishing campaign did not compromise sensitive information and we have no reason to believe that affected personal information has been misused for fraud or identity theft at this time. “

But the company did concede the cybercriminals got hold of some information.

“For consumers, the information accessed by the unauthorized party primarily included name, email address, delivery address and phone number,” DoorDash said in its blog post. “For a smaller set of consumers, basic order information and partial payment card information (i.e., the card type and last four digits of the card number) was also accessed.”

Referring to delivery people, the company added: “For Dashers, the information accessed by the unauthorized party primarily included name and phone number or email address. The information affected for each impacted individual may vary.”

The company said that it is contacting “certain affected DoorDash users where required.” DoorDash has added it has contacted law-enforcement officials.

In a statement issued to CRN by DoorDash spokesman Julian Crowley, the company bluntly laid blame for the incident on the so-called “Oktapus” hacker campaign that’s recently been tied to the breach at Twilio.

“ We can confirm the incident is connected to a wider, sophisticated phishing campaign that has targeted several other companies,” the DoorDash statement said. “The advanced tactics used in this incident are identical to the tactics used against several other companies.”

The DoorDash statement to CRN then referred to a TechCrunch report on how the hackers that had breached Twilio earlier this month also compromised more than 130 organizations during a “hacking spree that netted the credentials of close to 10,000 employees.”

Meanwhile, Bleeping Computer is reporting that Twilio’s investigation into its August 4 attack has revealed that hackers gained access to some two-factor authentication (2FA) accounts and registered unauthorized devices at Twillo.

Regarding its own breach, DoorDash said in its blog post that it had “recently detected unusual and suspicious activity from a third-party vendor’s computer network. In response, we swiftly disabled the vendor’s access to our system and contained the incident.”

DoorDash, which did not disclose the name of the third-party vendor, added: “Based on our investigation, we determined the vendor was compromised by a sophisticated phishing attack. The unauthorized party used the stolen credentials of vendor employees to gain access to some of our internal tools.”

The company concluded its post: “We value the trust we’ve built with each and every member of the DoorDash community, and protecting our platform and your personal information is a top priority for DoorDash. We sincerely regret that this attack occurred.”