Reports indicate that the company DoorDash has confirmed a phishing attack that exposes full customer contact details in thanks to a security breach. This customer information includes names, addresses and phone numbers.
However, for some customers, this information also includes “partial payment card information”, or the last four digits of a user’s card number.
DoorDash Falls Victim to Phishing Attack, Some User Information Breached
According to a report from DoorDash, information was obtained via a phishing attack to a third-party vendor. DoorDash insists that the phishing campaign in no way compromised sensitive information, and the affected personal information is not being used for fraud or identity theft at this time.
The phishing attack involved using stolen credentials to gain access to internal DoorDash tools. The attackers were then able to access the data of customers.
DoorDash was able to discover the phishing attack after detecting “unusual and suspicious activity” from a third-party vendor’s network. DoorDash quickly responded by disabling the vendor’s access to the system.
According to DoorDash, the attack is a part of a larger phishing campaign targeting multiple companies. Law enforcement is currently investigating.
According to DoorDash,
For consumers, the information accessed by the unauthorized party primarily included name, email address, delivery address and phone number. For a smaller set of consumers, basic order information and partial payment card information (i.e., the card type and last four digits of the card number) was also accessed. For Dashers, the information accessed by the unauthorized party primarily included name and phone number or email address. The information affected for each impacted individual may vary.
Furthermore, DoorDash claims that the attackers were not able to access passwords, full payment card numbers, bank account numbers or Social Security/Social Insurance numbers.
In response, DoorDash stated it is taking the following measures:
- Notifying law enforcement
- Notifying affected users, and data protection regulators
- Enhanced security at DoorDash and the third-party vendor
- Brought in a cybersecurity firm to assist in the investigation
DoorDash has provided users a F.A.Q. here (scroll to the bottom).
As always, be sure to protect yourself by staying cautious toward unsolicited communication. Never give out your personal information to unsolicited messages or websites. Users can also protect themselves by avoiding links or downloading attachments from suspicious emails.
Of course, always make sure that your software is always up to date as well.