Supply and takeout agency DoorDash has had a few of its buyer information accessed as the results of a phishing assault, it has confirmed. 

In a weblog publish, the corporate mentioned it was the newest to be affected by the knock-on results of a cyberattack that hit Twilio earlier this month.

DoorDash mentioned that when the unknown attackers breached Twilio’s endpoints (opens in new tab), they stole login credentials that some Twilio workers used to entry sure DoorDash instruments. Utilizing these credentials, the attackers proceeded to entry delicate information it was holding.

Passwords and cost information secure

The corporate didn’t give out the precise variety of customers affected by the breach asides from saying a “small proportion” of people might be impacted, however did verify what information was accessed.

“For shoppers, the data accessed primarily included title, e mail handle, supply handle, and cellphone quantity,” the weblog reads. “For a smaller set of shoppers, primary order data and partial cost card data (i.e., the cardboard sort and final 4 digits of the cardboard quantity) was additionally accessed. For Dashers, the data accessed by the unauthorized social gathering primarily included title and cellphone quantity or e mail handle.” 

Passwords, full cost card numbers, checking account numbers, Social Safety numbers, and Social Insurance coverage numbers, weren’t accessed, the corporate confirmed, additionally including that it discovered no proof of the compromised information getting used for fraud or id theft (opens in new tab).

To mitigate the problem, DoorDash blocked Twilio’s entry to its techniques in the interim. It additionally mentioned it “additional enhanced” its safety techniques, in addition to its third-party vendor’s safety techniques, with out detailing precisely what was achieved. 

“We now have additionally shared safety alerts with different third-party distributors detailing the precise ways used and reminded workers and third-party distributors to be on alert for any suspicious exercise.”

The corporate additionally introduced in a cybersecurity agency to help with the continuing investigation, notified its customers, and contacted regulation enforcement. 

• These are the perfect id administration instruments (opens in new tab) proper now