According to DoorDash, a phishing attempt on a business partner resulted in the theft of personal information for certain customers and delivery employees.
Names, emails, physical addresses, and phone numbers of customers were among the information taken. According to a notification made on the website of the meal delivery firm on Thursday, a lesser number of clients had basic order data and partial credit card information taken. The letter assured users that their account passwords and complete credit card data were safe.
The identity information of DoorDash drivers, including their names, contact information, and contact details, was stolen. A “small fraction” of users whose data is held by DoorDash were compromised, although the business could not specify how many customers and delivery personnel were affected in total.
DoorDash said that it uncovered the hack after seeing “strange and suspicious behaviour” emanating from the system of an unnamed third-party vendor. The company said it responded by blocking the vendor’s access to its network and working to control the breach.
According to DoorDash, it seems that a sophisticated phishing effort led to the vendor’s infiltration, allowing thieves access to certain of DoorDash’s internal capabilities through stolen employee credentials. The firm noted that it believes the vendor phishing attempt was part of a bigger effort that has hit other businesses and attracted the attention of law authorities.
DoorDash has said that it has increased its own security as well as the security of its third-party providers as a result of the hack. The company also claimed to be helping law authorities with their investigation into the phishing operation as a whole.