Delivery and takeaway company DoorDash gained access to some of its customer data following a phishing attack, it confirmed.
In a blog post, the company said it was the latest to be affected by the effects of a cyberattack that hit Twilio earlier this month.
DoorDash said that when unknown attackers breached Twilio's terminals (opens in a new tab), they stole login credentials that some Twilio employees used to access certain DoorDash tools. Using these credentials, the attackers proceeded to access the sensitive data they had.
Secure passwords and payment details
The company did not give the specific number of users affected by the breach, aside from saying that a "small percentage" of people may be affected, but did confirm what data was accessed.
"For consumers, the information viewed primarily included name, email address, shipping address, and phone number," the blog reads. “For a smaller group of consumers, basic order information and partial payment card information (i.e. card type and last four digits of card number) have also been queried. For Dashers, the information seen by the unauthorized party primarily included name and phone number or email address.
Passwords, full payment card numbers, bank account numbers, social security numbers and social security numbers were not searched, the company confirmed, adding that it found no evidence that the compromised data was used for fraud or identity theft. (opens in a new tab).
To mitigate the issue, DoorDash has blocked Twilio's access to its systems for now. It also said it had "further improved" its security systems, as well as its third-party provider's security systems, without detailing exactly what was done.
"We have also shared security alerts with other third-party vendors detailing the specific tactics used, and we remind employees and third-party vendors to be on the lookout for suspicious activity."
The company also enlisted a cybersecurity firm to help with the ongoing investigation, notified its users, and contacted law enforcement.