Food delivery firm DoorDash has disclosed a data breach exposing customer and employee data that is linked to the recent cyberattack on Twilio.
In a security advisory released Thursday afternoon, DoorDash says that a threat actor gained access to the company’s internal tools using stolen credentials from a third-party vendor that had access to their systems.
“DoorDash recently detected unusual and suspicious activity from a third-party vendor’s computer network. In response, we swiftly disabled the vendor’s access to our system and contained the incident,” explains the DoorDash security notice.
The hacker used this access to DoorDash’s internal tools to access data for both consumers and employees.
The exposed information includes the names, email addresses, delivery addresses, and phone numbers of consumers. In addition, for a small subset of customers, the hackers accessed basic order information and partial credit card information, including the card type and the last four digits of the card number.
For employees of the company, known as Dashers, the hackers may have accessed names, phone numbers, and email addresses.
While DoorDash does not mention the name of the third-party vendor, the food delivery company told TechCrunch that the breach is linked to same threat actors who recently attacked Twilio.
DoorDash previously suffered a data breach in 2019 that exposed the data of nearly 5 million customers.
Part of a larger ‘Oktapus’ phishing campaign
Earlier this month, Twilio disclosed that they were breached after multiple employees fell for an SMS phishing attack that allowed threat actors to access internal systems.
Using this access, the threat actors could access the data of 163 Twilio customers and use that data in further supply-chain attacks.
“To date, our investigation has identified 163 Twilio customers – out of a total customer base of over 270,000 – whose data was accessed without authorization for a limited period of time, and we have notified all of them,” explains an updated Twilio security advisory.
The fallout from this attack is just being realized, with Twilio disclosing this week that the hackers were also able to access 93 Authy 2FA accounts as part of the breach.
Signal also disclosed that the breach allowed hackers to access the phone numbers of 1,900 users, with some accounts reregistered to new devices.
However, the attack on Twilio and DoorDash is part of a much larger phishing campaign dubbed ‘Oktapus’ after the threat actor’s targeting of Okta identity management login credentials.
The campaign was discovered by cybersecurity firm Group-IB, which said that the threat actors breached over 130 organizations worldwide using an SMS phishing campaign.
These SMS phishing texts utilized phishing domains containing the keywords “OKTA,” “HELP,” “VPN,” and “SSO” and told targets to click on a link to update their password or access other information.
SMS phishing message sent to Twilio employees (Twilio)
These attacks were very successful, leading to additional reported data breaches at MailChimp and Klaviyo and an attempted breach of Cloudflare.
Other companies targeted in the attack include Coinbase, KuCoin, Binance, Microsoft, Telus, Verizon Wireless, T-Mobile, AT&T, Sprint, Rogers, Mailgun, Slack, Box, SendGrid, Yahoo, Sykes, BestBuy, and Infosys.
However, none of these other companies have disclosed whether the attacks were successful.
8/26/22 update: Story updated to clarify that the DoorDash breach was conducted by the same hackers as Twilio but not through Twilio