Malicious actors gained personally identifiable information of both customers and workers of the US food delivery program DoorDash, according to a statement released by the company last week.
The data breach occurred after a third-party vendor fell victim to a phishing attack that allowed hackers to steal employee credentials and access internal tools, the statement added.
“We recently became aware that a third-party vendor was the target of a sophisticated phishing campaign and that certain personal information maintained by DoorDash was affected,” read the notice from DoorDash.
In the data breach notice, DoorDash didn’t disclose how many customers were impacted. However, the company did disclose the type of customer and employee information exposed, which included:
- Names, email addresses, delivery addresses, and phone numbers of customers.
- Basic order information and partial payment card information, such as card type and four last digits of the card number for a smaller set of consumers.
- Names, phone numbers, and email addresses of delivery drivers.
“Based on our investigation to date, the information accessed by the unauthorized party did not include passwords, full payment card numbers, bank account numbers, or Social Security or Social Insurance numbers,” DoorDash added in its notice.
The company also said that it hadn’t seen any evidence of the misuse of the exposed personal data, such as identity theft or fraud.
In response to the data breach, DoorDash said it immediately cut ties with the hacked third-party vendor and that it’s working on improving security for its internal and third-party vendors’ security systems. Additionally, the company said that it’s working with police to find the identity of the threat actors.
Currently, DoorDash customers are still urged to be on the lookout for unsolicited emails, texts, or phone calls asking for personal information, and to never click or download attachments for unsolicited correspondence.
“The advanced tactics used appear to be connected to a wider phishing campaign that has targeted a number of other companies,” DoorDash said. “We understand that law enforcement is aware of this campaign and is actively investigating. We have contacted them to offer our support.”