The stolen data included customer names, email addresses, delivery addresses and phone numbers. A smaller number of customers also had basic order data and partial payment card information stolen, according to a notice posted on the food delivery company’s website on Thursday. More-sensitive information, like full credit card numbers and account passwords, weren’t compromised, the notice said.
The thieves also got away with the names, phone numbers and email addresses of DoorDash delivery workers. The company didn’t say how many customers and delivery workers in total had their information stolen, just that “a small percentage” of people whose data is maintained by DoorDash were affected.
DoorDash said it discovered the breach after detecting “unusual and suspicious activity” from the computer network of a third-party vendor, which it didn’t name. In response, it said, it cut off the vendor’s access to its system and took steps to contain the incident.
DoorDash said it appears the vendor was compromised by a sophisticated phishing attack that allowed cybercriminals to steal employee credentials that gave them access to some of DoorDash’s internal tools. The company added that the phishing attack against the vendor appears to be part of a larger campaign that’s also targeted other companies and drawn the attention of law enforcement.
In response to the breach, DoorDash said, it’s taken steps to boost its own security and that of its third-party vendors. It said it’s also assisting law enforcement officials in their investigation of the broader phishing campaign.