DoorDash Data Breach Exposes Personal Data of Customers, Employees

Colin Thierry
Colin Thierry Writer
Colin Thierry Colin Thierry Writer

Malicious actors gained personally identifiable information of both customers and workers of the US food delivery program DoorDash, according to a statement released by the company last week.

The data breach occurred after a third-party vendor fell victim to a phishing attack that allowed hackers to steal employee credentials and access internal tools, the statement added.

“We recently became aware that a third-party vendor was the target of a sophisticated phishing campaign and that certain personal information maintained by DoorDash was affected,” read the notice from DoorDash.

In the data breach notice, DoorDash didn’t disclose how many customers were impacted. However, the company did disclose the type of customer and employee information exposed, which included:

  • Names, email addresses, delivery addresses, and phone numbers of customers.
  • Basic order information and partial payment card information, such as card type and four last digits of the card number for a smaller set of consumers.
  • Names, phone numbers, and email addresses of delivery drivers.

“Based on our investigation to date, the information accessed by the unauthorized party did not include passwords, full payment card numbers, bank account numbers, or Social Security or Social Insurance numbers,” DoorDash added in its notice.

The company also said that it hadn’t seen any evidence of the misuse of the exposed personal data, such as identity theft or fraud.

In response to the data breach, DoorDash said it immediately cut ties with the hacked third-party vendor and that it’s working on improving security for its internal and third-party vendors’ security systems. Additionally, the company said that it’s working with police to find the identity of the threat actors.

Currently, DoorDash customers are still urged to be on the lookout for unsolicited emails, texts, or phone calls asking for personal information, and to never click or download attachments for unsolicited correspondence.

“The advanced tactics used appear to be connected to a wider phishing campaign that has targeted a number of other companies,” DoorDash said. “We understand that law enforcement is aware of this campaign and is actively investigating. We have contacted them to offer our support.”

About the Author

About the Author

Colin Thierry is a former cybersecurity researcher and journalist for SafetyDetectives who has written a wide variety of content for the web over the past 2 years. In his free time, he enjoys spending time outdoors, traveling, watching sports, and playing video games.